sergey/fido2-manage
1
0
Fork 0
mirror of https://github.com/token2/fido2-manage.git synced 2026-04-09 10:45:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Token2
2024-05-24 11:44:25 +02:00
committed by GitHub
parent df1b66988f
commit ca68f70495
71 changed files with 13997 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

417
man/CMakeLists.txt Normal file
View File

@@ -0,0 +1,417 @@
# Copyright (c) 2018-2022 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
find_program(MANDOC_PATH mandoc)
find_program(GZIP_PATH gzip)
message(STATUS "MANDOC_PATH: ${MANDOC_PATH}")
message(STATUS "GZIP_PATH: ${GZIP_PATH}")
list(APPEND MAN_SOURCES
eddsa_pk_new.3
es256_pk_new.3
es384_pk_new.3
fido2-assert.1
fido2-cred.1
fido2-token.1
fido_init.3
fido_assert_new.3
fido_assert_allow_cred.3
fido_assert_set_authdata.3
fido_assert_verify.3
fido_bio_dev_get_info.3
fido_bio_enroll_new.3
fido_bio_info_new.3
fido_bio_template.3
fido_cbor_info_new.3
fido_cred_new.3
fido_cred_exclude.3
fido_credman_metadata_new.3
fido_cred_set_authdata.3
fido_cred_verify.3
fido_dev_enable_entattest.3
fido_dev_get_assert.3
fido_dev_get_touch_begin.3
fido_dev_info_manifest.3
fido_dev_largeblob_get.3
fido_dev_make_cred.3
fido_dev_open.3
fido_dev_set_io_functions.3
fido_dev_set_pin.3
fido_strerr.3
rs256_pk_new.3
)
list(APPEND MAN_ALIAS
eddsa_pk_new eddsa_pk_free
eddsa_pk_new eddsa_pk_from_EVP_PKEY
eddsa_pk_new eddsa_pk_from_ptr
eddsa_pk_new eddsa_pk_to_EVP_PKEY
es256_pk_new es256_pk_free
es256_pk_new es256_pk_from_EC_KEY
es256_pk_new es256_pk_from_EVP_PKEY
es256_pk_new es256_pk_from_ptr
es256_pk_new es256_pk_to_EVP_PKEY
es384_pk_new es384_pk_free
es384_pk_new es384_pk_from_EC_KEY
es384_pk_new es384_pk_from_EVP_PKEY
es384_pk_new es384_pk_from_ptr
es384_pk_new es384_pk_to_EVP_PKEY
fido_assert_allow_cred fido_assert_empty_allow_list
fido_assert_new fido_assert_authdata_len
fido_assert_new fido_assert_authdata_ptr
fido_assert_new fido_assert_authdata_raw_len
fido_assert_new fido_assert_authdata_raw_ptr
fido_assert_new fido_assert_blob_len
fido_assert_new fido_assert_blob_ptr
fido_assert_new fido_assert_clientdata_hash_len
fido_assert_new fido_assert_clientdata_hash_ptr
fido_assert_new fido_assert_count
fido_assert_new fido_assert_flags
fido_assert_new fido_assert_free
fido_assert_new fido_assert_hmac_secret_len
fido_assert_new fido_assert_hmac_secret_ptr
fido_assert_new fido_assert_id_len
fido_assert_new fido_assert_id_ptr
fido_assert_new fido_assert_largeblob_key_len
fido_assert_new fido_assert_largeblob_key_ptr
fido_assert_new fido_assert_rp_id
fido_assert_new fido_assert_sigcount
fido_assert_new fido_assert_sig_len
fido_assert_new fido_assert_sig_ptr
fido_assert_new fido_assert_user_display_name
fido_assert_new fido_assert_user_icon
fido_assert_new fido_assert_user_id_len
fido_assert_new fido_assert_user_id_ptr
fido_assert_new fido_assert_user_name
fido_assert_set_authdata fido_assert_set_authdata_raw
fido_assert_set_authdata fido_assert_set_clientdata
fido_assert_set_authdata fido_assert_set_clientdata_hash
fido_assert_set_authdata fido_assert_set_count
fido_assert_set_authdata fido_assert_set_extensions
fido_assert_set_authdata fido_assert_set_hmac_salt
fido_assert_set_authdata fido_assert_set_hmac_secret
fido_assert_set_authdata fido_assert_set_rp
fido_assert_set_authdata fido_assert_set_sig
fido_assert_set_authdata fido_assert_set_up
fido_assert_set_authdata fido_assert_set_uv
fido_assert_set_authdata fido_assert_set_winhello_appid
fido_bio_dev_get_info fido_bio_dev_enroll_begin
fido_bio_dev_get_info fido_bio_dev_enroll_cancel
fido_bio_dev_get_info fido_bio_dev_enroll_continue
fido_bio_dev_get_info fido_bio_dev_enroll_remove
fido_bio_dev_get_info fido_bio_dev_get_template_array
fido_bio_dev_get_info fido_bio_dev_set_template_name
fido_bio_enroll_new fido_bio_enroll_free
fido_bio_enroll_new fido_bio_enroll_last_status
fido_bio_enroll_new fido_bio_enroll_remaining_samples
fido_bio_info_new fido_bio_info_free
fido_bio_info_new fido_bio_info_max_samples
fido_bio_info_new fido_bio_info_type
fido_bio_template fido_bio_template_array_count
fido_bio_template fido_bio_template_array_free
fido_bio_template fido_bio_template_array_new
fido_bio_template fido_bio_template_free
fido_bio_template fido_bio_template_id_len
fido_bio_template fido_bio_template_id_ptr
fido_bio_template fido_bio_template_name
fido_bio_template fido_bio_template_new
fido_bio_template fido_bio_template_set_id
fido_bio_template fido_bio_template_set_name
fido_cbor_info_new fido_cbor_info_aaguid_len
fido_cbor_info_new fido_cbor_info_aaguid_ptr
fido_cbor_info_new fido_cbor_info_algorithm_cose
fido_cbor_info_new fido_cbor_info_algorithm_count
fido_cbor_info_new fido_cbor_info_algorithm_type
fido_cbor_info_new fido_cbor_info_certs_len
fido_cbor_info_new fido_cbor_info_certs_name_ptr
fido_cbor_info_new fido_cbor_info_certs_value_ptr
fido_cbor_info_new fido_cbor_info_extensions_len
fido_cbor_info_new fido_cbor_info_extensions_ptr
fido_cbor_info_new fido_cbor_info_free
fido_cbor_info_new fido_cbor_info_fwversion
fido_cbor_info_new fido_cbor_info_maxcredbloblen
fido_cbor_info_new fido_cbor_info_maxcredcntlst
fido_cbor_info_new fido_cbor_info_maxcredidlen
fido_cbor_info_new fido_cbor_info_maxlargeblob
fido_cbor_info_new fido_cbor_info_maxmsgsiz
fido_cbor_info_new fido_cbor_info_maxrpid_minpinlen
fido_cbor_info_new fido_cbor_info_minpinlen
fido_cbor_info_new fido_cbor_info_new_pin_required
fido_cbor_info_new fido_cbor_info_options_len
fido_cbor_info_new fido_cbor_info_options_name_ptr
fido_cbor_info_new fido_cbor_info_options_value_ptr
fido_cbor_info_new fido_cbor_info_protocols_len
fido_cbor_info_new fido_cbor_info_protocols_ptr
fido_cbor_info_new fido_cbor_info_rk_remaining
fido_cbor_info_new fido_cbor_info_transports_len
fido_cbor_info_new fido_cbor_info_transports_ptr
fido_cbor_info_new fido_cbor_info_uv_attempts
fido_cbor_info_new fido_cbor_info_uv_modality
fido_cbor_info_new fido_cbor_info_versions_len
fido_cbor_info_new fido_cbor_info_versions_ptr
fido_cbor_info_new fido_dev_get_cbor_info
fido_cred_exclude fido_cred_empty_exclude_list
fido_cred_new fido_cred_aaguid_len
fido_cred_new fido_cred_aaguid_ptr
fido_cred_new fido_cred_attstmt_len
fido_cred_new fido_cred_attstmt_ptr
fido_cred_new fido_cred_authdata_len
fido_cred_new fido_cred_authdata_ptr
fido_cred_new fido_cred_authdata_raw_len
fido_cred_new fido_cred_authdata_raw_ptr
fido_cred_new fido_cred_clientdata_hash_len
fido_cred_new fido_cred_clientdata_hash_ptr
fido_cred_new fido_cred_display_name
fido_cred_new fido_cred_flags
fido_cred_new fido_cred_fmt
fido_cred_new fido_cred_free
fido_cred_new fido_cred_id_len
fido_cred_new fido_cred_id_ptr
fido_cred_new fido_cred_largeblob_key_len
fido_cred_new fido_cred_largeblob_key_ptr
fido_cred_new fido_cred_pin_minlen
fido_cred_new fido_cred_prot
fido_cred_new fido_cred_pubkey_len
fido_cred_new fido_cred_pubkey_ptr
fido_cred_new fido_cred_rp_id
fido_cred_new fido_cred_rp_name
fido_cred_new fido_cred_sigcount
fido_cred_new fido_cred_sig_len
fido_cred_new fido_cred_sig_ptr
fido_cred_new fido_cred_type
fido_cred_new fido_cred_user_id_len
fido_cred_new fido_cred_user_id_ptr
fido_cred_new fido_cred_user_name
fido_cred_new fido_cred_x5c_len
fido_cred_new fido_cred_x5c_list_count
fido_cred_new fido_cred_x5c_list_len
fido_cred_new fido_cred_x5c_list_ptr
fido_cred_new fido_cred_x5c_ptr
fido_cred_verify fido_cred_verify_self
fido_credman_metadata_new fido_credman_del_dev_rk
fido_credman_metadata_new fido_credman_get_dev_metadata
fido_credman_metadata_new fido_credman_get_dev_rk
fido_credman_metadata_new fido_credman_get_dev_rp
fido_credman_metadata_new fido_credman_metadata_free
fido_credman_metadata_new fido_credman_rk
fido_credman_metadata_new fido_credman_rk_count
fido_credman_metadata_new fido_credman_rk_existing
fido_credman_metadata_new fido_credman_rk_free
fido_credman_metadata_new fido_credman_rk_new
fido_credman_metadata_new fido_credman_rk_remaining
fido_credman_metadata_new fido_credman_rp_count
fido_credman_metadata_new fido_credman_rp_free
fido_credman_metadata_new fido_credman_rp_id
fido_credman_metadata_new fido_credman_rp_id_hash_len
fido_credman_metadata_new fido_credman_rp_id_hash_ptr
fido_credman_metadata_new fido_credman_rp_name
fido_credman_metadata_new fido_credman_rp_new
fido_credman_metadata_new fido_credman_set_dev_rk
fido_cred_set_authdata fido_cred_set_attstmt
fido_cred_set_authdata fido_cred_set_attobj
fido_cred_set_authdata fido_cred_set_authdata_raw
fido_cred_set_authdata fido_cred_set_blob
fido_cred_set_authdata fido_cred_set_clientdata
fido_cred_set_authdata fido_cred_set_clientdata_hash
fido_cred_set_authdata fido_cred_set_extensions
fido_cred_set_authdata fido_cred_set_fmt
fido_cred_set_authdata fido_cred_set_id
fido_cred_set_authdata fido_cred_set_pin_minlen
fido_cred_set_authdata fido_cred_set_prot
fido_cred_set_authdata fido_cred_set_rk
fido_cred_set_authdata fido_cred_set_rp
fido_cred_set_authdata fido_cred_set_sig
fido_cred_set_authdata fido_cred_set_type
fido_cred_set_authdata fido_cred_set_user
fido_cred_set_authdata fido_cred_set_uv
fido_cred_set_authdata fido_cred_set_x509
fido_dev_enable_entattest fido_dev_toggle_always_uv
fido_dev_enable_entattest fido_dev_force_pin_change
fido_dev_enable_entattest fido_dev_set_pin_minlen
fido_dev_enable_entattest fido_dev_set_pin_minlen_rpid
fido_dev_get_touch_begin fido_dev_get_touch_status
fido_dev_info_manifest fido_dev_info_free
fido_dev_info_manifest fido_dev_info_manufacturer_string
fido_dev_info_manifest fido_dev_info_new
fido_dev_info_manifest fido_dev_info_path
fido_dev_info_manifest fido_dev_info_product
fido_dev_info_manifest fido_dev_info_product_string
fido_dev_info_manifest fido_dev_info_ptr
fido_dev_info_manifest fido_dev_info_set
fido_dev_info_manifest fido_dev_info_vendor
fido_dev_open fido_dev_build
fido_dev_open fido_dev_cancel
fido_dev_open fido_dev_close
fido_dev_open fido_dev_flags
fido_dev_open fido_dev_force_fido2
fido_dev_open fido_dev_force_u2f
fido_dev_open fido_dev_free
fido_dev_open fido_dev_has_pin
fido_dev_open fido_dev_has_uv
fido_dev_open fido_dev_is_fido2
fido_dev_open fido_dev_is_winhello
fido_dev_open fido_dev_major
fido_dev_open fido_dev_minor
fido_dev_open fido_dev_new
fido_dev_open fido_dev_new_with_info
fido_dev_open fido_dev_open_with_info
fido_dev_open fido_dev_protocol
fido_dev_open fido_dev_supports_cred_prot
fido_dev_open fido_dev_supports_credman
fido_dev_open fido_dev_supports_permissions
fido_dev_open fido_dev_supports_pin
fido_dev_open fido_dev_supports_uv
fido_dev_set_pin fido_dev_get_retry_count
fido_dev_set_pin fido_dev_get_uv_retry_count
fido_dev_set_pin fido_dev_reset
fido_dev_set_io_functions fido_dev_io_handle
fido_dev_set_io_functions fido_dev_set_sigmask
fido_dev_set_io_functions fido_dev_set_timeout
fido_dev_set_io_functions fido_dev_set_transport_functions
fido_dev_largeblob_get fido_dev_largeblob_set
fido_dev_largeblob_get fido_dev_largeblob_remove
fido_dev_largeblob_get fido_dev_largeblob_get_array
fido_dev_largeblob_get fido_dev_largeblob_set_array
fido_init fido_set_log_handler
rs256_pk_new rs256_pk_free
rs256_pk_new rs256_pk_from_ptr
rs256_pk_new rs256_pk_from_EVP_PKEY
rs256_pk_new rs256_pk_from_RSA
rs256_pk_new rs256_pk_to_EVP_PKEY
)
list(LENGTH MAN_ALIAS MAN_ALIAS_LEN)
math(EXPR MAN_ALIAS_MAX "${MAN_ALIAS_LEN} - 2")
# man_copy
foreach(f ${MAN_SOURCES})
add_custom_command(OUTPUT ${f}
COMMAND cp -f ${PROJECT_SOURCE_DIR}/man/${f} .
DEPENDS ${f})
list(APPEND COPY_FILES ${f})
endforeach()
# man_lint
foreach(f ${MAN_SOURCES})
add_custom_command(OUTPUT ${f}.lint
COMMAND mandoc -T lint -W warning ${f} > ${f}.lint
DEPENDS ${f})
list(APPEND LINT_FILES ${f}.lint)
endforeach()
# man_html
foreach(f ${MAN_SOURCES})
string(REGEX REPLACE "\\.[13]$" "" g ${f})
add_custom_command(OUTPUT ${g}.html
COMMAND mandoc -T html -O man="%N.html",style=style.css -I os="Yubico AB" ${f} > ${g}.html
DEPENDS ${f})
list(APPEND HTML_FILES ${g}.html)
endforeach()
# man_html_partial
foreach(f ${MAN_SOURCES})
string(REGEX REPLACE "\\.[13]$" "" g ${f})
add_custom_command(OUTPUT ${g}.partial
COMMAND cat ${PROJECT_SOURCE_DIR}/man/dyc.css > ${g}.partial
COMMAND mandoc -T html -O man="%N.html",fragment ${f} >> ${g}.partial
DEPENDS ${f})
list(APPEND HTML_PARTIAL_FILES ${g}.partial)
endforeach()
# man_gzip
foreach(f ${MAN_SOURCES})
add_custom_command(OUTPUT ${f}.gz
COMMAND gzip -cn ${f} > ${f}.gz
DEPENDS ${f})
list(APPEND GZ_FILES ${f}.gz)
endforeach()
macro(define_symlink_target NAME EXT)
foreach(i RANGE 0 ${MAN_ALIAS_MAX} 2)
math(EXPR j "${i} + 1")
list(GET MAN_ALIAS ${i} SRC)
list(GET MAN_ALIAS ${j} DST)
add_custom_command(OUTPUT ${DST}.${EXT}
COMMAND ln -sf ${SRC}.${EXT} ${DST}.${EXT})
list(APPEND ${NAME}_LINK_FILES ${DST}.${EXT})
endforeach()
add_custom_target(${NAME} DEPENDS ${${NAME}_LINK_FILES})
endmacro()
add_custom_target(man_copy DEPENDS ${COPY_FILES})
add_custom_target(man_lint DEPENDS ${LINT_FILES})
add_custom_target(man_html DEPENDS ${HTML_FILES})
add_custom_target(man_html_partial DEPENDS ${HTML_PARTIAL_FILES})
add_custom_target(man_gzip DEPENDS ${GZ_FILES})
define_symlink_target(man_symlink 3)
define_symlink_target(man_symlink_html html)
define_symlink_target(man_symlink_html_partial partial)
define_symlink_target(man_symlink_gzip 3.gz)
add_dependencies(man_symlink man_copy)
add_dependencies(man_lint man_symlink)
add_dependencies(man_html man_lint)
add_dependencies(man_symlink_html man_html)
add_dependencies(man_html_partial man_lint)
add_dependencies(man_symlink_html_partial man_html_partial)
add_custom_target(man ALL)
if(MANDOC_PATH)
add_dependencies(man man_symlink_html)
add_dependencies(man_gzip man_lint)
install(FILES ${PROJECT_SOURCE_DIR}/man/style.css
DESTINATION "${CMAKE_INSTALL_DOCDIR}/html")
foreach(f ${MAN_SOURCES})
string(REGEX REPLACE "\\.[13]$" "" f ${f})
install(FILES ${PROJECT_BINARY_DIR}/man/${f}.html
DESTINATION "${CMAKE_INSTALL_DOCDIR}/html")
endforeach()
foreach(i RANGE 0 ${MAN_ALIAS_MAX} 2)
math(EXPR j "${i} + 1")
list(GET MAN_ALIAS ${j} DST)
install(FILES ${PROJECT_BINARY_DIR}/man/${DST}.html
DESTINATION "${CMAKE_INSTALL_DOCDIR}/html")
endforeach()
endif()
if(GZIP_PATH)
add_dependencies(man_gzip man_copy)
add_dependencies(man_symlink_gzip man_gzip)
add_dependencies(man man_symlink_gzip)
foreach(f ${MAN_SOURCES})
if (${f} MATCHES ".1$")
install(FILES ${PROJECT_BINARY_DIR}/man/${f}.gz
DESTINATION "${CMAKE_INSTALL_MANDIR}/man1")
elseif(${f} MATCHES ".3$")
install(FILES ${PROJECT_BINARY_DIR}/man/${f}.gz
DESTINATION "${CMAKE_INSTALL_MANDIR}/man3")
endif()
endforeach()
foreach(i RANGE 0 ${MAN_ALIAS_MAX} 2)
math(EXPR j "${i} + 1")
list(GET MAN_ALIAS ${j} DST)
install(FILES ${PROJECT_BINARY_DIR}/man/${DST}.3.gz
DESTINATION "${CMAKE_INSTALL_MANDIR}/man3")
endforeach()
else()
add_dependencies(man man_symlink)
foreach(f ${MAN_SOURCES})
if (${f} MATCHES ".1$")
install(FILES ${PROJECT_BINARY_DIR}/man/${f}
DESTINATION "${CMAKE_INSTALL_MANDIR}/man1")
elseif(${f} MATCHES ".3$")
install(FILES ${PROJECT_BINARY_DIR}/man/${f}
DESTINATION "${CMAKE_INSTALL_MANDIR}/man3")
endif()
endforeach()
foreach(i RANGE 0 ${MAN_ALIAS_MAX} 2)
math(EXPR j "${i} + 1")
list(GET MAN_ALIAS ${j} DST)
install(FILES ${PROJECT_BINARY_DIR}/man/${DST}.3
DESTINATION "${CMAKE_INSTALL_MANDIR}/man3")
endforeach()
endif()

7
man/NOTES Normal file
View File

@@ -0,0 +1,7 @@
To generate .partial files for https://developers.yubico.com/:
$ make -C build man_symlink_html_partial
$ (cd build/man && pax -p p -r -w *.partial /tmp/partial)
Use mandoc 1.14.4. Otherwise, adjust dyc.css to mandoc's HTML
output.

43
man/check.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/sh -u
# Copyright (c) 2022 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
T=$(mktemp -d) || exit 1
find . -maxdepth 1 -type f -name '*.3' -print0 > "$T/files"
xargs -0 awk '/^.Sh NAME/,/^.Nd/' < "$T/files" | \
awk '/^.Nm/ { print $2 }' | sort -u > "$T/Nm"
xargs -0 awk '/^.Fn/ { print $2 }' < "$T/files" | sort -u > "$T/Fn"
(cd "$T" && diff -u Nm Fn)
cut -c2- ../src/export.llvm | sort > "$T/exports"
(cd "$T" && diff -u Nm exports)
awk '/^list\(APPEND MAN_SOURCES/,/^\)/' CMakeLists.txt | \
awk '/.3$/ { print $1 }' | sort > "$T/listed_sources"
xargs -0 -n1 basename < "$T/files" | sort > "$T/actual_sources"
(cd "$T" && diff -u listed_sources actual_sources)
awk '/^list\(APPEND MAN_ALIAS/,/^\)/' CMakeLists.txt | \
sed '1d;$d' | awk '{ print $1, $2 }' | sort > "$T/listed_aliases"
xargs -0 grep -o "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
cut -c3- | sed 's/\.3:\.Fn//;s/ "//' | awk '$1 != $2' | \
sort > "$T/actual_aliases"
(cd "$T" && diff -u listed_aliases actual_aliases)
xargs -0 grep -hB1 "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
sed -E 's/^.F[tn] //;s/\*[^"\*]+"/\*"/g;s/ [^" \*]+"/"/g;/^--$/d' | \
paste -d " " - - | sed 's/\* /\*/' | sort > "$T/documented_prototypes"
while read -r f; do
awk "/\/\*/ { next } /$f\(/,/;/" ../src/fido.h ../src/fido/*.h | \
sed -E 's/^[ ]+//;s/[ ]+/ /' | tr '\n' ' ' | \
sed 's/(/ "/;s/, /" "/g;s/);/"/;s/ $/\n/'
done < "$T/exports" | sort > "$T/actual_prototypes"
(cd "$T" && diff -u documented_prototypes actual_prototypes)
(cd "$T" && rm files Nm Fn exports listed_sources actual_sources \
listed_aliases actual_aliases documented_prototypes actual_prototypes)
rmdir -- "$T"

14
man/dyc.css Normal file
View File

@@ -0,0 +1,14 @@
<style>
table.head, table.foot { width: 100%; }
td.head-rtitle, td.foot-os { text-align: right; }
td.head-vol { text-align: center; }
div.Pp { margin: 1ex 0ex; }
div.Nd, div.Bf, div.Op { display: inline; }
span.Pa, span.Ad { font-style: italic; }
span.Ms { font-weight: bold; }
dl.Bl-diag > dt { font-weight: bold; }
code.Nm, code.Fl, code.Cm, code.Ic, code.In, code.Fd, code.Fn,
code.Cd { font-weight: bold; font-family: monospace; }
var { font-family: monospace; }
.Sh { font-size: 1.5em; padding-top: 1em; padding-bottom: 1em; }
</style>

146
man/eddsa_pk_new.3 Normal file
View File

@@ -0,0 +1,146 @@
.\" Copyright (c) 2019-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt EDDSA_PK_NEW 3
.Os
.Sh NAME
.Nm eddsa_pk_new ,
.Nm eddsa_pk_free ,
.Nm eddsa_pk_from_EVP_PKEY ,
.Nm eddsa_pk_from_ptr ,
.Nm eddsa_pk_to_EVP_PKEY
.Nd FIDO2 COSE EDDSA API
.Sh SYNOPSIS
.In openssl/evp.h
.In fido/eddsa.h
.Ft eddsa_pk_t *
.Fn eddsa_pk_new "void"
.Ft void
.Fn eddsa_pk_free "eddsa_pk_t **pkp"
.Ft int
.Fn eddsa_pk_from_EVP_PKEY "eddsa_pk_t *pk" "const EVP_PKEY *pkey"
.Ft int
.Fn eddsa_pk_from_ptr "eddsa_pk_t *pk" "const void *ptr" "size_t len"
.Ft EVP_PKEY *
.Fn eddsa_pk_to_EVP_PKEY "const eddsa_pk_t *pk"
.Sh DESCRIPTION
EDDSA is the name given in the CBOR Object Signing and Encryption
(COSE) RFC to EDDSA over Curve25519 with SHA-512.
The COSE EDDSA API of
.Em libfido2
is an auxiliary API with routines to convert between the different
EDDSA public key types used in
.Em libfido2
and
.Em OpenSSL .
.Pp
In
.Em libfido2 ,
EDDSA public keys are abstracted by the
.Vt eddsa_pk_t
type.
.Pp
The
.Fn eddsa_pk_new
function returns a pointer to a newly allocated, empty
.Vt eddsa_pk_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn eddsa_pk_free
function releases the memory backing
.Fa *pkp ,
where
.Fa *pkp
must have been previously allocated by
.Fn eddsa_pk_new .
On return,
.Fa *pkp
is set to NULL.
Either
.Fa pkp
or
.Fa *pkp
may be NULL, in which case
.Fn eddsa_pk_free
is a NOP.
.Pp
The
.Fn eddsa_pk_from_EVP_PKEY
function fills
.Fa pk
with the contents of
.Fa pkey .
No references to
.Fa pkey
are kept.
.Pp
The
.Fn eddsa_pk_from_ptr
function fills
.Fa pk
with the contents of
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
No references to
.Fa ptr
are kept.
.Pp
The
.Fn eddsa_pk_to_EVP_PKEY
function converts
.Fa pk
to a newly allocated
.Fa EVP_PKEY
type with a reference count of 1.
No internal references to the returned pointer are kept.
If an error occurs,
.Fn eddsa_pk_to_EVP_PKEY
returns NULL.
.Sh RETURN VALUES
The
.Fn eddsa_pk_from_EVP_PKEY
and
.Fn eddsa_pk_from_ptr
functions return
.Dv FIDO_OK
on success.
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr es256_pk_new 3 ,
.Xr es384_pk_new 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_cred_pubkey_ptr 3 ,
.Xr rs256_pk_new 3

164
man/es256_pk_new.3 Normal file
View File

@@ -0,0 +1,164 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt ES256_PK_NEW 3
.Os
.Sh NAME
.Nm es256_pk_new ,
.Nm es256_pk_free ,
.Nm es256_pk_from_EC_KEY ,
.Nm es256_pk_from_EVP_PKEY ,
.Nm es256_pk_from_ptr ,
.Nm es256_pk_to_EVP_PKEY
.Nd FIDO2 COSE ES256 API
.Sh SYNOPSIS
.In openssl/ec.h
.In fido/es256.h
.Ft es256_pk_t *
.Fn es256_pk_new "void"
.Ft void
.Fn es256_pk_free "es256_pk_t **pkp"
.Ft int
.Fn es256_pk_from_EC_KEY "es256_pk_t *pk" "const EC_KEY *ec"
.Ft int
.Fn es256_pk_from_EVP_PKEY "es256_pk_t *pk" "const EVP_PKEY *pkey"
.Ft int
.Fn es256_pk_from_ptr "es256_pk_t *pk" "const void *ptr" "size_t len"
.Ft EVP_PKEY *
.Fn es256_pk_to_EVP_PKEY "const es256_pk_t *pk"
.Sh DESCRIPTION
ES256 is the name given in the CBOR Object Signing and Encryption
(COSE) RFC to ECDSA over P-256 with SHA-256.
The COSE ES256 API of
.Em libfido2
is an auxiliary API with routines to convert between the different
ECDSA public key types used in
.Em libfido2
and
.Em OpenSSL .
.Pp
In
.Em libfido2 ,
ES256 public keys are abstracted by the
.Vt es256_pk_t
type.
.Pp
The
.Fn es256_pk_new
function returns a pointer to a newly allocated, empty
.Vt es256_pk_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn es256_pk_free
function releases the memory backing
.Fa *pkp ,
where
.Fa *pkp
must have been previously allocated by
.Fn es256_pk_new .
On return,
.Fa *pkp
is set to NULL.
Either
.Fa pkp
or
.Fa *pkp
may be NULL, in which case
.Fn es256_pk_free
is a NOP.
.Pp
The
.Fn es256_pk_from_EC_KEY
function fills
.Fa pk
with the contents of
.Fa ec .
No references to
.Fa ec
are kept.
.Pp
The
.Fn es256_pk_from_EVP_PKEY
function fills
.Fa pk
with the contents of
.Fa pkey .
No references to
.Fa pkey
are kept.
.Pp
The
.Fn es256_pk_from_ptr
function fills
.Fa pk
with the contents of
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
The
.Fa ptr
pointer may point to an uncompressed point, or to the
concatenation of the x and y coordinates.
No references to
.Fa ptr
are kept.
.Pp
The
.Fn es256_pk_to_EVP_PKEY
function converts
.Fa pk
to a newly allocated
.Fa EVP_PKEY
type with a reference count of 1.
No internal references to the returned pointer are kept.
If an error occurs,
.Fn es256_pk_to_EVP_PKEY
returns NULL.
.Sh RETURN VALUES
The
.Fn es256_pk_from_EC_KEY ,
.Fn es256_pk_from_EVP_PKEY ,
and
.Fn es256_pk_from_ptr
functions return
.Dv FIDO_OK
on success.
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr eddsa_pk_new 3 ,
.Xr es384_pk_new 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_cred_pubkey_ptr 3 ,
.Xr rs256_pk_new 3

164
man/es384_pk_new.3 Normal file
View File

@@ -0,0 +1,164 @@
.\" Copyright (c) 2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt ES384_PK_NEW 3
.Os
.Sh NAME
.Nm es384_pk_new ,
.Nm es384_pk_free ,
.Nm es384_pk_from_EC_KEY ,
.Nm es384_pk_from_EVP_PKEY ,
.Nm es384_pk_from_ptr ,
.Nm es384_pk_to_EVP_PKEY
.Nd FIDO2 COSE ES384 API
.Sh SYNOPSIS
.In openssl/ec.h
.In fido/es384.h
.Ft es384_pk_t *
.Fn es384_pk_new "void"
.Ft void
.Fn es384_pk_free "es384_pk_t **pkp"
.Ft int
.Fn es384_pk_from_EC_KEY "es384_pk_t *pk" "const EC_KEY *ec"
.Ft int
.Fn es384_pk_from_EVP_PKEY "es384_pk_t *pk" "const EVP_PKEY *pkey"
.Ft int
.Fn es384_pk_from_ptr "es384_pk_t *pk" "const void *ptr" "size_t len"
.Ft EVP_PKEY *
.Fn es384_pk_to_EVP_PKEY "const es384_pk_t *pk"
.Sh DESCRIPTION
ES384 is the name given in the CBOR Object Signing and Encryption
(COSE) RFC to ECDSA over P-384 with SHA-384.
The COSE ES384 API of
.Em libfido2
is an auxiliary API with routines to convert between the different
ECDSA public key types used in
.Em libfido2
and
.Em OpenSSL .
.Pp
In
.Em libfido2 ,
ES384 public keys are abstracted by the
.Vt es384_pk_t
type.
.Pp
The
.Fn es384_pk_new
function returns a pointer to a newly allocated, empty
.Vt es384_pk_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn es384_pk_free
function releases the memory backing
.Fa *pkp ,
where
.Fa *pkp
must have been previously allocated by
.Fn es384_pk_new .
On return,
.Fa *pkp
is set to NULL.
Either
.Fa pkp
or
.Fa *pkp
may be NULL, in which case
.Fn es384_pk_free
is a NOP.
.Pp
The
.Fn es384_pk_from_EC_KEY
function fills
.Fa pk
with the contents of
.Fa ec .
No references to
.Fa ec
are kept.
.Pp
The
.Fn es384_pk_from_EVP_PKEY
function fills
.Fa pk
with the contents of
.Fa pkey .
No references to
.Fa pkey
are kept.
.Pp
The
.Fn es384_pk_from_ptr
function fills
.Fa pk
with the contents of
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
The
.Fa ptr
pointer may point to an uncompressed point, or to the
concatenation of the x and y coordinates.
No references to
.Fa ptr
are kept.
.Pp
The
.Fn es384_pk_to_EVP_PKEY
function converts
.Fa pk
to a newly allocated
.Fa EVP_PKEY
type with a reference count of 1.
No internal references to the returned pointer are kept.
If an error occurs,
.Fn es384_pk_to_EVP_PKEY
returns NULL.
.Sh RETURN VALUES
The
.Fn es384_pk_from_EC_KEY ,
.Fn es384_pk_from_EVP_PKEY ,
and
.Fn es384_pk_from_ptr
functions return
.Dv FIDO_OK
on success.
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr eddsa_pk_new 3 ,
.Xr es256_pk_new 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_cred_pubkey_ptr 3 ,
.Xr rs256_pk_new 3

286
man/fido2-assert.1 Normal file
View File

@@ -0,0 +1,286 @@
.\" Copyright (c) 2018-2023 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 3 2023 $
.Dt FIDO2-ASSERT 1
.Os
.Sh NAME
.Nm fido2-assert
.Nd get/verify a FIDO2 assertion
.Sh SYNOPSIS
.Nm
.Fl G
.Op Fl bdhpruvw
.Op Fl t Ar option
.Op Fl i Ar input_file
.Op Fl o Ar output_file
.Ar device
.Nm
.Fl V
.Op Fl dhpv
.Op Fl i Ar input_file
.Ar key_file
.Op Ar type
.Sh DESCRIPTION
.Nm
gets or verifies a FIDO2 assertion.
.Pp
The input of
.Nm
is defined by the parameters of the assertion to be obtained/verified.
See the
.Sx INPUT FORMAT
section for details.
.Pp
The output of
.Nm
is defined by the result of the selected operation.
See the
.Sx OUTPUT FORMAT
section for details.
.Pp
If an assertion is successfully obtained or verified,
.Nm
exits 0.
Otherwise,
.Nm
exits 1.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl G
Tells
.Nm
to obtain a new assertion from
.Ar device .
.It Fl V
Tells
.Nm
to verify an assertion using the PEM-encoded public key in
.Ar key_file
of type
.Ar type ,
where
.Ar type
may be
.Em es256
(denoting ECDSA over NIST P-256 with SHA-256),
.Em rs256
(denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or
.Em eddsa
(denoting EDDSA over Curve25519 with SHA-512).
If
.Ar type
is not specified,
.Em es256
is assumed.
.It Fl b
Request the credential's
.Dq largeBlobKey ,
a 32-byte symmetric key associated with the asserted credential.
.It Fl h
If obtaining an assertion, enable the FIDO2 hmac-secret
extension.
If verifying an assertion, check whether the extension data bit was
signed by the authenticator.
.It Fl d
Causes
.Nm
to emit debugging output on
.Em stderr .
.It Fl i Ar input_file
Tells
.Nm
to read the parameters of the assertion from
.Ar input_file
instead of
.Em stdin .
.It Fl o Ar output_file
Tells
.Nm
to write output on
.Ar output_file
instead of
.Em stdout .
.It Fl p
If obtaining an assertion, request user presence.
If verifying an assertion, check whether the user presence bit was
signed by the authenticator.
.It Fl r
Obtain an assertion using a resident credential.
If
.Fl r
is specified,
.Nm
will not expect a credential id in its input, and may output
multiple assertions.
Resident credentials are called
.Dq discoverable credentials
in CTAP 2.1.
.It Fl t Ar option
Toggles a key/value
.Ar option ,
where
.Ar option
is a string of the form
.Dq key=value .
The options supported at present are:
.Bl -tag -width Ds
.It Cm up Ns = Ns Ar true|false
Asks the authenticator for user presence to be enabled or disabled.
.It Cm uv Ns = Ns Ar true|false
Asks the authenticator for user verification to be enabled or
disabled.
.It Cm pin Ns = Ns Ar true|false
Tells
.Nm
whether to prompt for a PIN and request user verification.
.El
.Pp
The
.Fl t
option may be specified multiple times.
.It Fl u
Obtain an assertion using U2F.
By default,
.Nm
will use FIDO2 if supported by the authenticator, and fallback to
U2F otherwise.
.It Fl v
If obtaining an assertion, prompt the user for a PIN and request
user verification from the authenticator.
If verifying an assertion, check whether the user verification bit
was signed by the authenticator.
.It Fl w
Tells
.Nm
that the first line of input when obtaining an assertion shall be
interpreted as unhashed client data.
This is required by Windows Hello, which calculates the client data hash
internally.
.El
.Pp
If a
.Em tty
is available,
.Nm
will use it to obtain the PIN.
Otherwise,
.Em stdin
is used.
.Sh INPUT FORMAT
The input of
.Nm
consists of base64 blobs and UTF-8 strings separated
by newline characters ('\\n').
.Pp
When obtaining an assertion,
.Nm
expects its input to consist of:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
credential id, if credential not resident (base64 blob);
.It
hmac salt, if the FIDO2 hmac-secret extension is enabled
(base64 blob);
.El
.Pp
When verifying an assertion,
.Nm
expects its input to consist of:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
authenticator data (base64 blob);
.It
assertion signature (base64 blob);
.El
.Pp
UTF-8 strings passed to
.Nm
must not contain embedded newline or NUL characters.
.Sh OUTPUT FORMAT
The output of
.Nm
consists of base64 blobs and UTF-8 strings separated
by newline characters ('\\n').
.Pp
For each generated assertion,
.Nm
outputs:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
authenticator data (base64 blob);
.It
assertion signature (base64 blob);
.It
user id, if credential resident (base64 blob);
.It
hmac secret, if the FIDO2 hmac-secret extension is enabled
(base64 blob);
.It
the credential's associated 32-byte symmetric key
.Pq Dq largeBlobKey ,
if requested (base64 blob).
.El
.Pp
When verifying an assertion,
.Nm
produces no output.
.Sh EXAMPLES
Assuming
.Pa cred
contains a
.Em es256
credential created according to the steps outlined in
.Xr fido2-cred 1 ,
obtain an assertion from an authenticator at
.Pa /dev/hidraw5
and verify it:
.Pp
.Dl $ echo assertion challenge | openssl sha256 -binary | base64 > assert_param
.Dl $ echo relying party >> assert_param
.Dl $ head -1 cred >> assert_param
.Dl $ tail -n +2 cred > pubkey
.Dl $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey es256
.Sh SEE ALSO
.Xr fido2-cred 1 ,
.Xr fido2-token 1

297
man/fido2-cred.1 Normal file
View File

@@ -0,0 +1,297 @@
.\" Copyright (c) 2018-2023 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 3 2023 $
.Dt FIDO2-CRED 1
.Os
.Sh NAME
.Nm fido2-cred
.Nd make/verify a FIDO2 credential
.Sh SYNOPSIS
.Nm
.Fl M
.Op Fl bdhqruvw
.Op Fl c Ar cred_protect
.Op Fl i Ar input_file
.Op Fl o Ar output_file
.Ar device
.Op Ar type
.Nm
.Fl V
.Op Fl dhv
.Op Fl c Ar cred_protect
.Op Fl i Ar input_file
.Op Fl o Ar output_file
.Op Ar type
.Sh DESCRIPTION
.Nm
makes or verifies a FIDO2 credential.
.Pp
A credential
.Ar type
may be
.Em es256
(denoting ECDSA over NIST P-256 with SHA-256),
.Em rs256
(denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or
.Em eddsa
(denoting EDDSA over Curve25519 with SHA-512).
If
.Ar type
is not specified,
.Em es256
is assumed.
.Pp
When making a credential, the authenticator may require the user
to authenticate with a PIN.
If the
.Fl q
option is not specified,
.Nm
will prompt the user for the PIN.
If a
.Em tty
is available,
.Nm
will use it to obtain the PIN.
Otherwise,
.Em stdin
is used.
.Pp
The input of
.Nm
is defined by the parameters of the credential to be made/verified.
See the
.Sx INPUT FORMAT
section for details.
.Pp
The output of
.Nm
is defined by the result of the selected operation.
See the
.Sx OUTPUT FORMAT
section for details.
.Pp
If a credential is successfully created or verified,
.Nm
exits 0.
Otherwise,
.Nm
exits 1.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl M
Tells
.Nm
to make a new credential on
.Ar device .
.It Fl V
Tells
.Nm
to verify a credential.
.It Fl b
Request the credential's
.Dq largeBlobKey ,
a 32-byte symmetric key associated with the generated credential.
.It Fl c Ar cred_protect
If making a credential, set the credential's protection level to
.Ar cred_protect ,
where
.Ar cred_protect
is the credential's protection level in decimal notation.
Please refer to
.In fido/param.h
for the set of possible values.
If verifying a credential, check whether the credential's protection
level was signed by the authenticator as
.Ar cred_protect .
.It Fl d
Causes
.Nm
to emit debugging output on
.Em stderr .
.It Fl h
If making a credential, enable the FIDO2 hmac-secret extension.
If verifying a credential, check whether the extension data bit was
signed by the authenticator.
.It Fl i Ar input_file
Tells
.Nm
to read the parameters of the credential from
.Ar input_file
instead of
.Em stdin .
.It Fl o Ar output_file
Tells
.Nm
to write output on
.Ar output_file
instead of
.Em stdout .
.It Fl q
Tells
.Nm
to be quiet.
If a PIN is required and
.Fl q
is specified,
.Nm
will fail.
.It Fl r
Create a resident credential.
Resident credentials are called
.Dq discoverable credentials
in CTAP 2.1.
.It Fl u
Create a U2F credential.
By default,
.Nm
will use FIDO2 if supported by the authenticator, and fallback to
U2F otherwise.
.It Fl v
If making a credential, request user verification.
If verifying a credential, check whether the user verification bit
was signed by the authenticator.
.It Fl w
Tells
.Nm
that the first line of input when making a credential shall be
interpreted as unhashed client data.
This is required by Windows Hello, which calculates the client data hash
internally.
.El
.Sh INPUT FORMAT
The input of
.Nm
consists of base64 blobs and UTF-8 strings separated
by newline characters ('\\n').
.Pp
When making a credential,
.Nm
expects its input to consist of:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
user name (UTF-8 string);
.It
user id (base64 blob).
.El
.Pp
When verifying a credential,
.Nm
expects its input to consist of:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
credential format (UTF-8 string);
.It
authenticator data (base64 blob);
.It
credential id (base64 blob);
.It
attestation signature (base64 blob);
.It
attestation certificate (optional, base64 blob).
.El
.Pp
UTF-8 strings passed to
.Nm
must not contain embedded newline or NUL characters.
.Sh OUTPUT FORMAT
The output of
.Nm
consists of base64 blobs, UTF-8 strings, and PEM-encoded public
keys separated by newline characters ('\\n').
.Pp
Upon the successful generation of a credential,
.Nm
outputs:
.Pp
.Bl -enum -offset indent -compact
.It
client data hash (base64 blob);
.It
relying party id (UTF-8 string);
.It
credential format (UTF-8 string);
.It
authenticator data (base64 blob);
.It
credential id (base64 blob);
.It
attestation signature (base64 blob);
.It
attestation certificate, if present (base64 blob).
.It
the credential's associated 32-byte symmetric key
.Pq Dq largeBlobKey ,
if present (base64 blob).
.El
.Pp
Upon the successful verification of a credential,
.Nm
outputs:
.Pp
.Bl -enum -offset indent -compact
.It
credential id (base64 blob);
.It
PEM-encoded credential key.
.El
.Sh EXAMPLES
Create a new
.Em es256
credential on
.Pa /dev/hidraw5 ,
verify it, and save the id and the public key of the credential in
.Em cred :
.Pp
.Dl $ echo credential challenge | openssl sha256 -binary | base64 > cred_param
.Dl $ echo relying party >> cred_param
.Dl $ echo user name >> cred_param
.Dl $ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param
.Dl $ fido2-cred -M -i cred_param /dev/hidraw5 | fido2-cred -V -o cred
.Sh SEE ALSO
.Xr fido2-assert 1 ,
.Xr fido2-token 1
.Sh CAVEATS
Please note that
.Nm
handles Basic Attestation and Self Attestation transparently.
In the case of Basic Attestation, the validity of the authenticator's
attestation certificate is
.Em not
verified.

421
man/fido2-token.1 Normal file
View File

@@ -0,0 +1,421 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: April 11 2022 $
.Dt FIDO2-TOKEN 1
.Os
.Sh NAME
.Nm fido2-token
.Nd find and manage a FIDO2 authenticator
.Sh SYNOPSIS
.Nm
.Fl C
.Op Fl d
.Ar device
.Nm
.Fl D
.Op Fl d
.Fl i
.Ar cred_id
.Ar device
.Nm
.Fl D
.Fl b
.Op Fl d
.Fl k Ar key_path
.Ar device
.Nm
.Fl D
.Fl b
.Op Fl d
.Fl n Ar rp_id
.Op Fl i Ar cred_id
.Ar device
.Nm
.Fl D
.Fl e
.Op Fl d
.Fl i
.Ar template_id
.Ar device
.Nm
.Fl D
.Fl u
.Op Fl d
.Ar device
.Nm
.Fl G
.Fl b
.Op Fl d
.Fl k Ar key_path
.Ar blob_path
.Ar device
.Nm
.Fl G
.Fl b
.Op Fl d
.Fl n Ar rp_id
.Op Fl i Ar cred_id
.Ar blob_path
.Ar device
.Nm
.Fl I
.Op Fl cd
.Op Fl k Ar rp_id Fl i Ar cred_id
.Ar device
.Nm
.Fl L
.Op Fl bder
.Op Fl k Ar rp_id
.Op device
.Nm
.Fl R
.Op Fl d
.Ar device
.Nm
.Fl S
.Op Fl adefu
.Ar device
.Nm
.Fl S
.Op Fl d
.Fl i Ar template_id
.Fl n Ar template_name
.Ar device
.Nm
.Fl S
.Op Fl d
.Fl l Ar pin_length
.Ar device
.Nm
.Fl S
.Fl b
.Op Fl d
.Fl k Ar key_path
.Ar blob_path
.Ar device
.Nm
.Fl S
.Fl b
.Op Fl d
.Fl n Ar rp_id
.Op Fl i Ar cred_id
.Ar blob_path
.Ar device
.Nm
.Fl S
.Fl c
.Op Fl d
.Fl i Ar cred_id
.Fl k Ar user_id
.Fl n Ar name
.Fl p Ar display_name
.Ar device
.Nm
.Fl S
.Fl m
.Ar rp_id
.Ar device
.Nm
.Fl V
.Sh DESCRIPTION
.Nm
manages a FIDO2 authenticator.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl C Ar device
Changes the PIN of
.Ar device .
The user will be prompted for the current and new PINs.
.It Fl D Fl i Ar id Ar device
Deletes the resident credential specified by
.Ar id
from
.Ar device ,
where
.Ar id
is the credential's base64-encoded id.
The user will be prompted for the PIN.
.It Fl D Fl b Fl k Ar key_path Ar device
Deletes a
.Dq largeBlob
encrypted with
.Ar key_path
from
.Ar device ,
where
.Ar key_path
holds the blob's base64-encoded 32-byte AES-256 GCM encryption key.
A PIN or equivalent user-verification gesture is required.
.It Fl D Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar device
Deletes a
.Dq largeBlob
corresponding to
.Ar rp_id
from
.Ar device .
If
.Ar rp_id
has multiple credentials enrolled on
.Ar device ,
the credential ID must be specified using
.Fl i Ar cred_id ,
where
.Ar cred_id
is a base64-encoded blob.
A PIN or equivalent user-verification gesture is required.
.It Fl D Fl e Fl i Ar id Ar device
Deletes the biometric enrollment specified by
.Ar id
from
.Ar device ,
where
.Ar id
is the enrollment's template base64-encoded id.
The user will be prompted for the PIN.
.It Fl D Fl u Ar device
Disables the CTAP 2.1
.Dq user verification always
feature on
.Ar device .
.It Fl G Fl b Fl k Ar key_path Ar blob_path Ar device
Gets a CTAP 2.1
.Dq largeBlob
encrypted with
.Ar key_path
from
.Ar device ,
where
.Ar key_path
holds the blob's base64-encoded 32-byte AES-256 GCM encryption key.
The blob is written to
.Ar blob_path .
A PIN or equivalent user-verification gesture is required.
.It Fl G Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
Gets a CTAP 2.1
.Dq largeBlob
associated with
.Ar rp_id
from
.Ar device .
If
.Ar rp_id
has multiple credentials enrolled on
.Ar device ,
the credential ID must be specified using
.Fl i Ar cred_id ,
where
.Ar cred_id
is a base64-encoded blob.
The blob is written to
.Ar blob_path .
A PIN or equivalent user-verification gesture is required.
.It Fl I Ar device
Retrieves information on
.Ar device .
.It Fl I Fl c Ar device
Retrieves resident credential metadata from
.Ar device .
The user will be prompted for the PIN.
.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device
Prints the credential id (base64-encoded) and public key
(PEM encoded) of the resident credential specified by
.Ar rp_id
and
.Ar cred_id ,
where
.Ar rp_id
is a UTF-8 relying party id, and
.Ar cred_id
is a base64-encoded credential id.
The user will be prompted for the PIN.
.It Fl L
Produces a list of authenticators found by the operating system.
.It Fl L Fl b Ar device
Produces a list of CTAP 2.1
.Dq largeBlobs
on
.Ar device .
A PIN or equivalent user-verification gesture is required.
.It Fl L Fl e Ar device
Produces a list of biometric enrollments on
.Ar device .
The user will be prompted for the PIN.
.It Fl L Fl r Ar device
Produces a list of relying parties with resident credentials on
.Ar device .
The user will be prompted for the PIN.
.It Fl L Fl k Ar rp_id Ar device
Produces a list of resident credentials corresponding to
relying party
.Ar rp_id
on
.Ar device .
The user will be prompted for the PIN.
.It Fl R
Performs a reset on
.Ar device .
.Nm
will NOT prompt for confirmation.
.It Fl S
Sets the PIN of
.Ar device .
The user will be prompted for the PIN.
.It Fl S Fl a Ar device
Enables CTAP 2.1 Enterprise Attestation on
.Ar device .
.It Fl S Fl b Fl k Ar key_path Ar blob_path Ar device
Sets a CTAP 2.1
.Dq largeBlob
encrypted with
.Ar key_path
on
.Ar device ,
where
.Ar key_path
holds the blob's base64-encoded 32-byte AES-256 GCM encryption key.
The blob is read from
.Fa blob_path .
A PIN or equivalent user-verification gesture is required.
.It Fl S Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
Sets a CTAP 2.1
.Dq largeBlob
associated with
.Ar rp_id
on
.Ar device .
The blob is read from
.Fa blob_path .
If
.Ar rp_id
has multiple credentials enrolled on
.Ar device ,
the credential ID must be specified using
.Fl i Ar cred_id ,
where
.Ar cred_id
is a base64-encoded blob.
A PIN or equivalent user-verification gesture is required.
.It Fl S Fl c Fl i Ar cred_id Fl k Ar user_id Fl n Ar name Fl p Ar display_name Ar device
Sets the
.Ar name
and
.Ar display_name
attributes of the resident credential identified by
.Ar cred_id
and
.Ar user_id ,
where
.Ar name
and
.Ar display_name
are UTF-8 strings and
.Ar cred_id
and
.Ar user_id
are base64-encoded blobs.
A PIN or equivalent user-verification gesture is required.
.It Fl S Fl e Ar device
Performs a new biometric enrollment on
.Ar device .
The user will be prompted for the PIN.
.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device
Sets the friendly name of the biometric enrollment specified by
.Ar template_id
to
.Ar template_name
on
.Ar device ,
where
.Ar template_id
is base64-encoded and
.Ar template_name
is a UTF-8 string.
The user will be prompted for the PIN.
.It Fl S Fl f Ar device
Forces a PIN change on
.Ar device .
The user will be prompted for the PIN.
.It Fl S Fl l Ar pin_length Ar device
Sets the minimum PIN length of
.Ar device
to
.Ar pin_length .
The user will be prompted for the PIN.
.It Fl S Fl m Ar rp_id Ar device
Sets the list of relying party IDs that are allowed to retrieve
the minimum PIN length of
.Ar device .
Multiple IDs may be specified, separated by commas.
The user will be prompted for the PIN.
.It Fl S Fl u Ar device
Enables the CTAP 2.1
.Dq user verification always
feature on
.Ar device .
.It Fl V
Prints version information.
.It Fl d
Causes
.Nm
to emit debugging output on
.Em stderr .
.El
.Pp
If a
.Em tty
is available,
.Nm
will use it to prompt for PINs.
Otherwise,
.Em stdin
is used.
.Pp
.Nm
exits 0 on success and 1 on error.
.Sh SEE ALSO
.Xr fido2-assert 1 ,
.Xr fido2-cred 1
.Sh CAVEATS
The actual user-flow to perform a reset is outside the scope of the
FIDO2 specification, and may therefore vary depending on the
authenticator.
Yubico authenticators do not allow resets after 5 seconds from
power-up, and expect a reset to be confirmed by the user through
touch within 30 seconds.
.Pp
An authenticator's path may contain spaces.
.Pp
Resident credentials are called
.Dq discoverable credentials
in CTAP 2.1.
.Pp
Whether the CTAP 2.1
.Dq user verification always
feature is activated or deactivated after an authenticator reset
is vendor-specific.

80
man/fido_assert_allow_cred.3 Normal file
View File

@@ -0,0 +1,80 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: December 1 2022 $
.Dt FIDO_ASSERT_ALLOW_CRED 3
.Os
.Sh NAME
.Nm fido_assert_allow_cred ,
.Nm fido_assert_empty_allow_list
.Nd manage allow lists in a FIDO2 assertion
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_assert_allow_cred "fido_assert_t *assert" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_empty_allow_list "fido_assert_t *assert"
.Sh DESCRIPTION
The
.Fn fido_assert_allow_cred
function adds
.Fa ptr
to the list of credentials allowed in
.Fa assert ,
where
.Fa ptr
points to a credential ID of
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
If
.Fn fido_assert_allow_cred
fails, the existing list of allowed credentials is preserved.
.Pp
For the format of a FIDO2 credential ID, please refer to the
Web Authentication (webauthn) standard.
.Pp
The
.Fn fido_assert_empty_allow_list
function empties the list of credentials allowed in
.Fa assert .
.Sh RETURN VALUES
The error codes returned by
.Fn fido_assert_allow_cred
and
.Fn fido_assert_empty_allow_list
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_assert_new 3 ,
.Xr fido_assert_set_authdata 3 ,
.Xr fido_dev_get_assert 3

293
man/fido_assert_new.3 Normal file
View File

@@ -0,0 +1,293 @@
.\" Copyright (c) 2018-2023 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: June 19 2023 $
.Dt FIDO_ASSERT_NEW 3
.Os
.Sh NAME
.Nm fido_assert_new ,
.Nm fido_assert_free ,
.Nm fido_assert_count ,
.Nm fido_assert_rp_id ,
.Nm fido_assert_user_display_name ,
.Nm fido_assert_user_icon ,
.Nm fido_assert_user_name ,
.Nm fido_assert_authdata_ptr ,
.Nm fido_assert_authdata_raw_ptr ,
.Nm fido_assert_blob_ptr ,
.Nm fido_assert_clientdata_hash_ptr ,
.Nm fido_assert_hmac_secret_ptr ,
.Nm fido_assert_largeblob_key_ptr ,
.Nm fido_assert_user_id_ptr ,
.Nm fido_assert_sig_ptr ,
.Nm fido_assert_id_ptr ,
.Nm fido_assert_authdata_len ,
.Nm fido_assert_authdata_raw_len ,
.Nm fido_assert_blob_len ,
.Nm fido_assert_clientdata_hash_len ,
.Nm fido_assert_hmac_secret_len ,
.Nm fido_assert_largeblob_key_len ,
.Nm fido_assert_user_id_len ,
.Nm fido_assert_sig_len ,
.Nm fido_assert_id_len ,
.Nm fido_assert_sigcount ,
.Nm fido_assert_flags
.Nd FIDO2 assertion API
.Sh SYNOPSIS
.In fido.h
.Ft fido_assert_t *
.Fn fido_assert_new "void"
.Ft void
.Fn fido_assert_free "fido_assert_t **assert_p"
.Ft size_t
.Fn fido_assert_count "const fido_assert_t *assert"
.Ft const char *
.Fn fido_assert_rp_id "const fido_assert_t *assert"
.Ft const char *
.Fn fido_assert_user_display_name "const fido_assert_t *assert" "size_t idx"
.Ft const char *
.Fn fido_assert_user_icon "const fido_assert_t *assert" "size_t idx"
.Ft const char *
.Fn fido_assert_user_name "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_authdata_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_authdata_raw_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_clientdata_hash_ptr "const fido_assert_t *assert"
.Ft const unsigned char *
.Fn fido_assert_blob_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_hmac_secret_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_largeblob_key_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_user_id_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_sig_ptr "const fido_assert_t *assert" "size_t idx"
.Ft const unsigned char *
.Fn fido_assert_id_ptr "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_authdata_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_authdata_raw_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_clientdata_hash_len "const fido_assert_t *assert"
.Ft size_t
.Fn fido_assert_blob_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_hmac_secret_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_largeblob_key_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_user_id_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_sig_len "const fido_assert_t *assert" "size_t idx"
.Ft size_t
.Fn fido_assert_id_len "const fido_assert_t *assert" "size_t idx"
.Ft uint32_t
.Fn fido_assert_sigcount "const fido_assert_t *assert" "size_t idx"
.Ft uint8_t
.Fn fido_assert_flags "const fido_assert_t *assert" "size_t idx"
.Sh DESCRIPTION
A FIDO2 assertion is a collection of statements, each statement a
map between a challenge, a credential, a signature, and ancillary
attributes.
In
.Em libfido2 ,
a FIDO2 assertion is abstracted by the
.Vt fido_assert_t
type.
The functions described in this page allow a
.Vt fido_assert_t
type to be allocated, deallocated, and inspected.
For other operations on
.Vt fido_assert_t ,
please refer to
.Xr fido_assert_set_authdata 3 ,
.Xr fido_assert_allow_cred 3 ,
.Xr fido_assert_verify 3 ,
and
.Xr fido_dev_get_assert 3 .
.Pp
The
.Fn fido_assert_new
function returns a pointer to a newly allocated, empty
.Vt fido_assert_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_assert_free
function releases the memory backing
.Fa *assert_p ,
where
.Fa *assert_p
must have been previously allocated by
.Fn fido_assert_new .
On return,
.Fa *assert_p
is set to NULL.
Either
.Fa assert_p
or
.Fa *assert_p
may be NULL, in which case
.Fn fido_assert_free
is a NOP.
.Pp
The
.Fn fido_assert_count
function returns the number of statements in
.Fa assert .
.Pp
The
.Fn fido_assert_rp_id
function returns a pointer to a NUL-terminated string holding the
relying party ID of
.Fa assert .
.Pp
The
.Fn fido_assert_user_display_name ,
.Fn fido_assert_user_icon ,
and
.Fn fido_assert_user_name ,
functions return pointers to the user display name, icon, and
name attributes of statement
.Fa idx
in
.Fa assert .
If not NULL, the values returned by these functions point to
NUL-terminated UTF-8 strings.
The user display name, icon, and name attributes will typically
only be returned by the authenticator if user verification was
performed by the authenticator and multiple resident/discoverable
credentials were involved in the assertion.
.Pp
The
.Fn fido_assert_authdata_ptr ,
.Fn fido_assert_authdata_raw_ptr ,
.Fn fido_assert_clientdata_hash_ptr ,
.Fn fido_assert_id_ptr ,
.Fn fido_assert_user_id_ptr ,
.Fn fido_assert_sig_ptr ,
.Fn fido_assert_sigcount ,
and
.Fn fido_assert_flags
functions return pointers to the CBOR-encoded and raw authenticator data,
client data hash, credential ID, user ID, signature, signature
count, and authenticator data flags of statement
.Fa idx
in
.Fa assert .
.Pp
The
.Fn fido_assert_hmac_secret_ptr
function returns a pointer to the hmac-secret attribute of statement
.Fa idx
in
.Fa assert .
The HMAC Secret Extension
.Pq hmac-secret
is a CTAP 2.0 extension.
Note that the resulting hmac-secret varies according to whether
user verification was performed by the authenticator.
.Pp
The
.Fn fido_assert_blob_ptr
and
.Fn fido_assert_largeblob_key_ptr
functions return pointers to the
.Dq credBlob
and
.Dq largeBlobKey
attributes of statement
.Fa idx
in
.Fa assert .
Credential Blob
.Pq credBlob
and
Large Blob Key
.Pq largeBlobKey
are CTAP 2.1 extensions.
.Pp
The
.Fn fido_assert_authdata_len ,
.Fn fido_assert_authdata_raw_len ,
.Fn fido_assert_clientdata_hash_len ,
.Fn fido_assert_id_len ,
.Fn fido_assert_user_id_len ,
.Fn fido_assert_sig_len ,
.Fn fido_assert_hmac_secret_len ,
.Fn fido_assert_blob_len ,
and
.Fn fido_assert_largeblob_key_len
functions return the length of a given attribute.
.Pp
Please note that the first statement in
.Fa assert
has an
.Fa idx
(index) value of 0.
.Pp
The authenticator data and signature parts of an assertion
statement are typically passed to a FIDO2 server for verification.
.Sh RETURN VALUES
The authenticator data returned by
.Fn fido_assert_authdata_ptr
is a CBOR-encoded byte string, as obtained from the authenticator.
.Pp
The
.Fn fido_assert_rp_id ,
.Fn fido_assert_user_display_name ,
.Fn fido_assert_user_icon ,
.Fn fido_assert_user_name ,
.Fn fido_assert_authdata_ptr ,
.Fn fido_assert_clientdata_hash_ptr ,
.Fn fido_assert_id_ptr ,
.Fn fido_assert_user_id_ptr ,
.Fn fido_assert_sig_ptr ,
.Fn fido_assert_hmac_secret_ptr ,
.Fn fido_assert_blob_ptr ,
and
.Fn fido_assert_largeblob_key_ptr
functions may return NULL if the respective field in
.Fa assert
is not set.
If not NULL, returned pointers are guaranteed to exist until any API
function that takes
.Fa assert
without the
.Em const
qualifier is invoked.
.Sh SEE ALSO
.Xr fido_assert_allow_cred 3 ,
.Xr fido_assert_set_authdata 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_dev_get_assert 3 ,
.Xr fido_dev_largeblob_get 3

314
man/fido_assert_set_authdata.3 Normal file
View File

@@ -0,0 +1,314 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: April 8 2023 $
.Dt FIDO_ASSERT_SET_AUTHDATA 3
.Os
.Sh NAME
.Nm fido_assert_set_authdata ,
.Nm fido_assert_set_authdata_raw ,
.Nm fido_assert_set_clientdata ,
.Nm fido_assert_set_clientdata_hash ,
.Nm fido_assert_set_count ,
.Nm fido_assert_set_extensions ,
.Nm fido_assert_set_hmac_salt ,
.Nm fido_assert_set_hmac_secret ,
.Nm fido_assert_set_up ,
.Nm fido_assert_set_uv ,
.Nm fido_assert_set_rp ,
.Nm fido_assert_set_sig ,
.Nm fido_assert_set_winhello_appid
.Nd set parameters of a FIDO2 assertion
.Sh SYNOPSIS
.In fido.h
.Bd -literal
typedef enum {
FIDO_OPT_OMIT = 0, /* use authenticator's default */
FIDO_OPT_FALSE, /* explicitly set option to false */
FIDO_OPT_TRUE, /* explicitly set option to true */
} fido_opt_t;
.Ed
.Ft int
.Fn fido_assert_set_authdata "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_authdata_raw "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_clientdata "fido_assert_t *assert" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_clientdata_hash "fido_assert_t *assert" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_count "fido_assert_t *assert" "size_t n"
.Ft int
.Fn fido_assert_set_extensions "fido_assert_t *assert" "int flags"
.Ft int
.Fn fido_assert_set_hmac_salt "fido_assert_t *assert" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_hmac_secret "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_up "fido_assert_t *assert" "fido_opt_t up"
.Ft int
.Fn fido_assert_set_uv "fido_assert_t *assert" "fido_opt_t uv"
.Ft int
.Fn fido_assert_set_rp "fido_assert_t *assert" "const char *id"
.Ft int
.Fn fido_assert_set_sig "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_assert_set_winhello_appid "fido_assert_t *assert" "const char *id"
.Sh DESCRIPTION
The
.Nm
set of functions define the various parameters of a FIDO2
assertion, allowing a
.Fa fido_assert_t
type to be prepared for a subsequent call to
.Xr fido_dev_get_assert 3
or
.Xr fido_assert_verify 3 .
For the complete specification of a FIDO2 assertion and the format
of its constituent parts, please refer to the Web Authentication
(webauthn) standard.
.Pp
The
.Fn fido_assert_set_count
function sets the number of assertion statements in
.Fa assert
to
.Fa n .
.Pp
The
.Fn fido_assert_set_authdata
and
.Fn fido_assert_set_sig
functions set the authenticator data and signature parts of the
statement with index
.Fa idx
of
.Fa assert
to
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
Please note that the first assertion statement of
.Fa assert
has an
.Fa idx
of
.Em 0 .
The authenticator data passed to
.Fn fido_assert_set_authdata
must be a CBOR-encoded byte string, as obtained from
.Fn fido_assert_authdata_ptr .
Alternatively, a raw binary blob may be passed to
.Fn fido_assert_set_authdata_raw .
.Pp
The
.Fn fido_assert_set_clientdata_hash
function sets the client data hash of
.Fa assert
to
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
.Pp
The
.Fn fido_assert_set_clientdata
function allows an application to set the client data hash of
.Fa assert
by specifying the assertion's unhashed client data.
This is required by Windows Hello, which calculates the client data
hash internally.
For compatibility with Windows Hello, applications should use
.Fn fido_assert_set_clientdata
instead of
.Fn fido_assert_set_clientdata_hash .
.Pp
The
.Fn fido_assert_set_rp
function sets the relying party
.Fa id
of
.Fa assert ,
where
.Fa id
is a NUL-terminated UTF-8 string.
The content of
.Fa id
is copied, and no references to the passed pointer are kept.
.Pp
The
.Fn fido_assert_set_extensions
function sets the extensions of
.Fa assert
to the bitmask
.Fa flags .
At the moment, only the
.Dv FIDO_EXT_CRED_BLOB ,
.Dv FIDO_EXT_HMAC_SECRET ,
and
.Dv FIDO_EXT_LARGEBLOB_KEY
extensions are supported.
If
.Fa flags
is zero, the extensions of
.Fa assert
are cleared.
.Pp
The
.Fn fido_assert_set_hmac_salt
and
.Fn fido_assert_set_hmac_secret
functions set the hmac-salt and hmac-secret parts of
.Fa assert
to
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
The HMAC Secret
.Pq hmac-secret
Extension is a CTAP 2.0 extension.
Note that the resulting hmac-secret varies according to whether
user verification was performed by the authenticator.
The
.Fn fido_assert_set_hmac_secret
function is normally only useful when writing tests.
.Pp
The
.Fn fido_assert_set_up
and
.Fn fido_assert_set_uv
functions set the
.Fa up
(user presence) and
.Fa uv
(user verification)
attributes of
.Fa assert .
Both are
.Dv FIDO_OPT_OMIT
by default, allowing the authenticator to use its default settings.
.Pp
The
.Fn fido_assert_set_winhello_appid
function sets the U2F application
.Fa id
.Pq Dq U2F AppID
of
.Fa assert ,
where
.Fa id
is a NUL-terminated UTF-8 string.
The content of
.Fa id
is copied, and no references to the passed pointer are kept.
The
.Fn fido_assert_set_winhello_appid
function is a no-op unless
.Fa assert
is passed to
.Xr fido_dev_get_assert 3
with a device
.Fa dev
on which
.Xr fido_dev_is_winhello 3
holds true.
In this case,
.Em libfido2
will instruct Windows Hello to try the assertion twice,
first with the
.Fa id
passed to
.Fn fido_assert_set_rp ,
and a second time with the
.Fa id
passed to
.Fn fido_assert_set_winhello_appid .
If the second assertion succeeds,
.Xr fido_assert_rp_id 3
will point to the U2F AppID once
.Xr fido_dev_get_assert 3
completes.
This mechanism exists in Windows Hello to ensure U2F backwards
compatibility without the application inadvertently prompting the
user twice.
Note that
.Fn fido_assert_set_winhello_appid
is not needed on platforms offering CTAP primitives, since the
authenticator can be silently probed for the existence of U2F
credentials.
.Pp
Use of the
.Nm
set of functions may happen in two distinct situations:
when asking a FIDO2 device to produce a series of assertion
statements, prior to
.Xr fido_dev_get_assert 3
(i.e, in the context of a FIDO2 client), or when verifying assertion
statements using
.Xr fido_assert_verify 3
(i.e, in the context of a FIDO2 server).
.Pp
For a complete description of the generation of a FIDO2 assertion
and its verification, please refer to the FIDO2 specification.
An example of how to use the
.Nm
set of functions can be found in the
.Pa examples/assert.c
file shipped with
.Em libfido2 .
.Sh RETURN VALUES
The
.Nm
functions return
.Dv FIDO_OK
on success.
The error codes returned by the
.Nm
set of functions are defined in
.In fido/err.h .
.Sh SEE ALSO
.Xr fido_assert_allow_cred 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_dev_get_assert 3 ,
.Xr fido_dev_is_winhello 3

104
man/fido_assert_verify.3 Normal file
View File

@@ -0,0 +1,104 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt FIDO_ASSERT_VERIFY 3
.Os
.Sh NAME
.Nm fido_assert_verify
.Nd verifies the signature of a FIDO2 assertion statement
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_assert_verify "const fido_assert_t *assert" "size_t idx" "int cose_alg" "const void *pk"
.Sh DESCRIPTION
The
.Fn fido_assert_verify
function verifies whether the signature contained in statement index
.Fa idx
of
.Fa assert
matches the parameters of the assertion.
Before using
.Fn fido_assert_verify
in a sensitive context, the reader is strongly encouraged to make
herself familiar with the FIDO2 assertion statement process
as defined in the Web Authentication (webauthn) standard.
.Pp
A brief description follows:
.Pp
The
.Fn fido_assert_verify
function verifies whether the client data hash, relying party ID,
user presence and user verification attributes of
.Fa assert
have been attested by the holder of the private counterpart of
the public key
.Fa pk
of COSE type
.Fa cose_alg ,
where
.Fa cose_alg
is
.Dv COSE_ES256 ,
.Dv COSE_ES384 ,
.Dv COSE_RS256 ,
or
.Dv COSE_EDDSA ,
and
.Fa pk
points to a
.Vt es256_pk_t ,
.Vt es384_pk_t ,
.Vt rs256_pk_t ,
or
.Vt eddsa_pk_t
type accordingly.
.Pp
Please note that the first statement in
.Fa assert
has an
.Fa idx
of 0.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_assert_verify
are defined in
.In fido/err.h .
If
statement
.Fa idx
of
.Fa assert
passes verification with
.Fa pk ,
then
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_assert_new 3 ,
.Xr fido_assert_set_authdata 3

145
man/fido_bio_dev_get_info.3 Normal file
View File

@@ -0,0 +1,145 @@
.\" Copyright (c) 2019 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: September 13 2019 $
.Dt FIDO_BIO_DEV_GET_INFO 3
.Os
.Sh NAME
.Nm fido_bio_dev_get_info ,
.Nm fido_bio_dev_enroll_begin ,
.Nm fido_bio_dev_enroll_continue ,
.Nm fido_bio_dev_enroll_cancel ,
.Nm fido_bio_dev_enroll_remove ,
.Nm fido_bio_dev_get_template_array ,
.Nm fido_bio_dev_set_template_name
.Nd FIDO2 biometric authenticator API
.Sh SYNOPSIS
.In fido.h
.In fido/bio.h
.Ft int
.Fn fido_bio_dev_get_info "fido_dev_t *dev" "fido_bio_info_t *info"
.Ft int
.Fn fido_bio_dev_enroll_begin "fido_dev_t *dev" "fido_bio_template_t *template" "fido_bio_enroll_t *enroll" "uint32_t timeout_ms" "const char *pin"
.Ft int
.Fn fido_bio_dev_enroll_continue "fido_dev_t *dev" "const fido_bio_template_t *template" "fido_bio_enroll_t *enroll" "uint32_t timeout_ms"
.Ft int
.Fn fido_bio_dev_enroll_cancel "fido_dev_t *dev"
.Ft int
.Fn fido_bio_dev_enroll_remove "fido_dev_t *dev" "const fido_bio_template_t *template" "const char *pin"
.Ft int
.Fn fido_bio_dev_get_template_array "fido_dev_t *dev" "fido_bio_template_array_t *template_array" "const char *pin"
.Ft int
.Fn fido_bio_dev_set_template_name "fido_dev_t *dev" "const fido_bio_template_t *template" "const char *pin"
.Sh DESCRIPTION
The functions described in this page allow biometric
templates on a FIDO2 authenticator to be listed, created,
removed, and customised.
Please note that not all FIDO2 authenticators support biometric
enrollment.
For a description of the types involved, please refer to
.Xr fido_bio_info_new 3 ,
.Xr fido_bio_enroll_new 3 ,
and
.Xr fido_bio_template 3 .
.Pp
The
.Fn fido_bio_dev_get_info
function populates
.Fa info
with sensor information from
.Fa dev .
.Pp
The
.Fn fido_bio_dev_enroll_begin
function initiates a biometric enrollment on
.Fa dev ,
instructing the authenticator to wait
.Fa timeout_ms
milliseconds.
On success,
.Fa template
and
.Fa enroll
will be populated with the newly created template's
information and enrollment status, respectively.
.Pp
The
.Fn fido_bio_dev_enroll_continue
function continues an ongoing enrollment on
.Fa dev ,
instructing the authenticator to wait
.Fa timeout_ms
milliseconds.
On success,
.Fa enroll
will be updated to reflect the status of the biometric
enrollment.
.Pp
The
.Fn fido_bio_dev_enroll_cancel
function cancels an ongoing enrollment on
.Fa dev .
.Pp
The
.Fn fido_bio_dev_enroll_remove
function removes
.Fa template
from
.Fa dev .
.Pp
The
.Fn fido_bio_dev_get_template_array
function populates
.Fa template_array
with the templates currently enrolled on
.Fa dev .
.Pp
The
.Fn fido_bio_dev_set_template_name
function sets the friendly name of
.Fa template
on
.Fa dev .
.Sh RETURN VALUES
The error codes returned by
.Fn fido_bio_dev_get_info ,
.Fn fido_bio_dev_enroll_begin ,
.Fn fido_bio_dev_enroll_continue ,
.Fn fido_bio_dev_enroll_cancel ,
.Fn fido_bio_dev_enroll_remove ,
.Fn fido_bio_dev_get_template_array ,
and
.Fn fido_bio_dev_set_template_name
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_bio_enroll_new 3 ,
.Xr fido_bio_info_new 3 ,
.Xr fido_bio_template 3

118
man/fido_bio_enroll_new.3 Normal file
View File

@@ -0,0 +1,118 @@
.\" Copyright (c) 2019 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: September 13 2019 $
.Dt FIDO_BIO_ENROLL_NEW 3
.Os
.Sh NAME
.Nm fido_bio_enroll_new ,
.Nm fido_bio_enroll_free ,
.Nm fido_bio_enroll_last_status ,
.Nm fido_bio_enroll_remaining_samples
.Nd FIDO2 biometric enrollment API
.Sh SYNOPSIS
.In fido.h
.In fido/bio.h
.Bd -literal
#define FIDO_BIO_ENROLL_FP_GOOD 0x00
#define FIDO_BIO_ENROLL_FP_TOO_HIGH 0x01
#define FIDO_BIO_ENROLL_FP_TOO_LOW 0x02
#define FIDO_BIO_ENROLL_FP_TOO_LEFT 0x03
#define FIDO_BIO_ENROLL_FP_TOO_RIGHT 0x04
#define FIDO_BIO_ENROLL_FP_TOO_FAST 0x05
#define FIDO_BIO_ENROLL_FP_TOO_SLOW 0x06
#define FIDO_BIO_ENROLL_FP_POOR_QUALITY 0x07
#define FIDO_BIO_ENROLL_FP_TOO_SKEWED 0x08
#define FIDO_BIO_ENROLL_FP_TOO_SHORT 0x09
#define FIDO_BIO_ENROLL_FP_MERGE_FAILURE 0x0a
#define FIDO_BIO_ENROLL_FP_EXISTS 0x0b
#define FIDO_BIO_ENROLL_FP_DATABASE_FULL 0x0c
#define FIDO_BIO_ENROLL_NO_USER_ACTIVITY 0x0d
#define FIDO_BIO_ENROLL_NO_USER_PRESENCE_TRANSITION 0x0e
.Ed
.Ft fido_bio_enroll_t *
.Fn fido_bio_enroll_new "void"
.Ft void
.Fn fido_bio_enroll_free "fido_bio_enroll_t **enroll_p"
.Ft uint8_t
.Fn fido_bio_enroll_last_status "const fido_bio_enroll_t *enroll"
.Ft uint8_t
.Fn fido_bio_enroll_remaining_samples "const fido_bio_enroll_t *enroll"
.Sh DESCRIPTION
Ongoing FIDO2 biometric enrollments are abstracted in
.Em libfido2
by the
.Vt fido_bio_enroll_t
type.
.Pp
The functions described in this page allow a
.Vt fido_bio_enroll_t
type to be allocated, deallocated, and inspected.
For device operations on
.Vt fido_bio_enroll_t ,
please refer to
.Xr fido_bio_dev_get_info 3 .
.Pp
The
.Fn fido_bio_enroll_new
function returns a pointer to a newly allocated, empty
.Vt fido_bio_enroll_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_bio_enroll_free
function releases the memory backing
.Fa *enroll_p ,
where
.Fa *enroll_p
must have been previously allocated by
.Fn fido_bio_enroll_new .
On return,
.Fa *enroll_p
is set to NULL.
Either
.Fa enroll_p
or
.Fa *enroll_p
may be NULL, in which case
.Fn fido_bio_enroll_free
is a NOP.
.Pp
The
.Fn fido_bio_enroll_last_status
function returns the enrollment status of
.Fa enroll .
.Pp
The
.Fn fido_bio_enroll_remaining_samples
function returns the number of samples left for
.Fa enroll
to complete.
.Sh SEE ALSO
.Xr fido_bio_dev_get_info 3 ,
.Xr fido_bio_template 3

104
man/fido_bio_info_new.3 Normal file
View File

@@ -0,0 +1,104 @@
.\" Copyright (c) 2019 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: September 13 2019 $
.Dt FIDO_BIO_INFO_NEW 3
.Os
.Sh NAME
.Nm fido_bio_info_new ,
.Nm fido_bio_info_free ,
.Nm fido_bio_info_type ,
.Nm fido_bio_info_max_samples
.Nd FIDO2 biometric sensor information API
.Sh SYNOPSIS
.In fido.h
.In fido/bio.h
.Ft fido_bio_info_t *
.Fn fido_bio_info_new "void"
.Ft void
.Fn fido_bio_info_free "fido_bio_info_t **info_p"
.Ft uint8_t
.Fn fido_bio_info_type "const fido_bio_info_t *info"
.Ft uint8_t
.Fn fido_bio_info_max_samples "const fido_bio_info_t *info"
.Sh DESCRIPTION
Biometric sensor metadata is abstracted in
.Em libfido2
by the
.Vt fido_bio_info_t
type.
.Pp
The functions described in this page allow a
.Vt fido_bio_info_t
type to be allocated, deallocated, and inspected.
For device operations on
.Vt fido_bio_info_t ,
please refer to
.Xr fido_bio_dev_get_info 3 .
.Pp
The
.Fn fido_bio_info_new
function returns a pointer to a newly allocated, empty
.Vt fido_bio_info_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_bio_info_free
function releases the memory backing
.Fa *info_p ,
where
.Fa *info_p
must have been previously allocated by
.Fn fido_bio_info_new .
On return,
.Fa *info_p
is set to NULL.
Either
.Fa info_p
or
.Fa *info_p
may be NULL, in which case
.Fn fido_bio_info_free
is a NOP.
.Pp
The
.Fn fido_bio_info_type
function returns the fingerprint sensor type, which is
.Dv 1
for touch sensors, and
.Dv 2
for swipe sensors.
.Pp
The
.Fn fido_bio_info_max_samples
function returns the maximum number of successful samples
required for enrollment.
.Sh SEE ALSO
.Xr fido_bio_dev_get_info 3 ,
.Xr fido_bio_enroll_new 3 ,
.Xr fido_bio_template 3

202
man/fido_bio_template.3 Normal file
View File

@@ -0,0 +1,202 @@
.\" Copyright (c) 2019 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: September 13 2019 $
.Dt FIDO_BIO_TEMPLATE 3
.Os
.Sh NAME
.Nm fido_bio_template ,
.Nm fido_bio_template_array_count ,
.Nm fido_bio_template_array_free ,
.Nm fido_bio_template_array_new ,
.Nm fido_bio_template_free ,
.Nm fido_bio_template_id_len ,
.Nm fido_bio_template_id_ptr ,
.Nm fido_bio_template_name ,
.Nm fido_bio_template_new ,
.Nm fido_bio_template_set_id ,
.Nm fido_bio_template_set_name
.Nd FIDO2 biometric template API
.Sh SYNOPSIS
.In fido.h
.In fido/bio.h
.Ft fido_bio_template_t *
.Fn fido_bio_template_new "void"
.Ft void
.Fn fido_bio_template_free "fido_bio_template_t **template_p"
.Ft const char *
.Fn fido_bio_template_name "const fido_bio_template_t *template"
.Ft const unsigned char *
.Fn fido_bio_template_id_ptr "const fido_bio_template_t *template"
.Ft size_t
.Fn fido_bio_template_id_len "const fido_bio_template_t *template"
.Ft int
.Fn fido_bio_template_set_id "fido_bio_template_t *template" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_bio_template_set_name "fido_bio_template_t *template" "const char *name"
.Ft fido_bio_template_array_t *
.Fn fido_bio_template_array_new "void"
.Ft void
.Fn fido_bio_template_array_free "fido_bio_template_array_t **array_p"
.Ft size_t
.Fn fido_bio_template_array_count "const fido_bio_template_array_t *array"
.Ft const fido_bio_template_t *
.Fn fido_bio_template "const fido_bio_template_array_t *array" "size_t idx"
.Sh DESCRIPTION
Existing FIDO2 biometric enrollments are abstracted in
.Em libfido2
by the
.Vt fido_bio_template_t
and
.Vt fido_bio_template_array_t
types.
.Pp
The functions described in this page allow a
.Vt fido_bio_template_t
type to be allocated, deallocated, changed, and inspected,
and a
.Vt fido_bio_template_array_t
type to be allocated, deallocated, and inspected.
For device operations on
.Vt fido_bio_template_t
and
.Vt fido_bio_template_array_t ,
please refer to
.Xr fido_bio_dev_get_info 3 .
.Pp
The
.Fn fido_bio_template_new
function returns a pointer to a newly allocated, empty
.Vt fido_bio_template_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_bio_template_free
function releases the memory backing
.Fa *template_p ,
where
.Fa *template_p
must have been previously allocated by
.Fn fido_bio_template_new .
On return,
.Fa *template_p
is set to NULL.
Either
.Fa template_p
or
.Fa *template_p
may be NULL, in which case
.Fn fido_bio_template_free
is a NOP.
.Pp
The
.Fn fido_bio_template_name
function returns a pointer to a NUL-terminated string containing
the friendly name of
.Fa template ,
or NULL if
.Fa template
does not have a friendly name set.
.Pp
The
.Fn fido_bio_template_id_ptr
function returns a pointer to the template id of
.Fa template ,
or NULL if
.Fa template
does not have an id.
The corresponding length can be obtained by
.Fn fido_bio_template_id_len .
.Pp
The
.Fn fido_bio_template_set_name
function sets the friendly name of
.Fa template
to
.Fa name .
If
.Fa name
is NULL, the friendly name of
.Fa template
is unset.
.Pp
The
.Fn fido_bio_template_array_new
function returns a pointer to a newly allocated, empty
.Vt fido_bio_template_array_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_bio_template_array_free
function releases the memory backing
.Fa *array_p ,
where
.Fa *array_p
must have been previously allocated by
.Fn fido_bio_template_array_new .
On return,
.Fa *array_p
is set to NULL.
Either
.Fa array_p
or
.Fa *array_p
may be NULL, in which case
.Fn fido_bio_template_array_free
is a NOP.
.Pp
The
.Fn fido_bio_template_array_count
function returns the number of templates in
.Fa array .
.Pp
The
.Fn fido_bio_template
function returns a pointer to the template at index
.Fa idx
in
.Fa array .
Please note that the first template in
.Fa array
has an
.Fa idx
(index) value of 0.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_bio_template_set_id
and
.Fn fido_bio_template_set_name
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_bio_dev_get_info 3 ,
.Xr fido_bio_enroll_new 3

389
man/fido_cbor_info_new.3 Normal file
View File

@@ -0,0 +1,389 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: April 22 2022 $
.Dt FIDO_CBOR_INFO_NEW 3
.Os
.Sh NAME
.Nm fido_cbor_info_new ,
.Nm fido_cbor_info_free ,
.Nm fido_dev_get_cbor_info ,
.Nm fido_cbor_info_aaguid_ptr ,
.Nm fido_cbor_info_extensions_ptr ,
.Nm fido_cbor_info_protocols_ptr ,
.Nm fido_cbor_info_transports_ptr ,
.Nm fido_cbor_info_versions_ptr ,
.Nm fido_cbor_info_options_name_ptr ,
.Nm fido_cbor_info_options_value_ptr ,
.Nm fido_cbor_info_algorithm_type ,
.Nm fido_cbor_info_algorithm_cose ,
.Nm fido_cbor_info_algorithm_count ,
.Nm fido_cbor_info_certs_name_ptr ,
.Nm fido_cbor_info_certs_value_ptr ,
.Nm fido_cbor_info_certs_len ,
.Nm fido_cbor_info_aaguid_len ,
.Nm fido_cbor_info_extensions_len ,
.Nm fido_cbor_info_protocols_len ,
.Nm fido_cbor_info_transports_len ,
.Nm fido_cbor_info_versions_len ,
.Nm fido_cbor_info_options_len ,
.Nm fido_cbor_info_maxmsgsiz ,
.Nm fido_cbor_info_maxcredbloblen ,
.Nm fido_cbor_info_maxcredcntlst ,
.Nm fido_cbor_info_maxcredidlen ,
.Nm fido_cbor_info_maxlargeblob ,
.Nm fido_cbor_info_maxrpid_minpinlen ,
.Nm fido_cbor_info_minpinlen ,
.Nm fido_cbor_info_fwversion ,
.Nm fido_cbor_info_uv_attempts ,
.Nm fido_cbor_info_uv_modality ,
.Nm fido_cbor_info_rk_remaining ,
.Nm fido_cbor_info_new_pin_required
.Nd FIDO2 CBOR Info API
.Sh SYNOPSIS
.In fido.h
.Ft fido_cbor_info_t *
.Fn fido_cbor_info_new "void"
.Ft void
.Fn fido_cbor_info_free "fido_cbor_info_t **ci_p"
.Ft int
.Fn fido_dev_get_cbor_info "fido_dev_t *dev" "fido_cbor_info_t *ci"
.Ft const unsigned char *
.Fn fido_cbor_info_aaguid_ptr "const fido_cbor_info_t *ci"
.Ft char **
.Fn fido_cbor_info_extensions_ptr "const fido_cbor_info_t *ci"
.Ft const uint8_t *
.Fn fido_cbor_info_protocols_ptr "const fido_cbor_info_t *ci"
.Ft char **
.Fn fido_cbor_info_transports_ptr "const fido_cbor_info_t *ci"
.Ft char **
.Fn fido_cbor_info_versions_ptr "const fido_cbor_info_t *ci"
.Ft char **
.Fn fido_cbor_info_options_name_ptr "const fido_cbor_info_t *ci"
.Ft const bool *
.Fn fido_cbor_info_options_value_ptr "const fido_cbor_info_t *ci"
.Ft const char *
.Fn fido_cbor_info_algorithm_type "const fido_cbor_info_t *ci" "size_t idx"
.Ft int
.Fn fido_cbor_info_algorithm_cose "const fido_cbor_info_t *ci" "size_t idx"
.Ft size_t
.Fn fido_cbor_info_algorithm_count "const fido_cbor_info_t *ci"
.Ft char **
.Fn fido_cbor_info_certs_name_ptr "const fido_cbor_info_t *ci"
.Ft const uint64_t *
.Fn fido_cbor_info_certs_value_ptr "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_certs_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_aaguid_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_extensions_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_protocols_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_transports_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_versions_len "const fido_cbor_info_t *ci"
.Ft size_t
.Fn fido_cbor_info_options_len "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxmsgsiz "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxcredbloblen "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxcredcntlst "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxcredidlen "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxlargeblob "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_maxrpid_minpinlen "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_minpinlen "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_fwversion "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_uv_attempts "const fido_cbor_info_t *ci"
.Ft uint64_t
.Fn fido_cbor_info_uv_modality "const fido_cbor_info_t *ci"
.Ft int64_t
.Fn fido_cbor_info_rk_remaining "const fido_cbor_info_t *ci"
.Ft bool
.Fn fido_cbor_info_new_pin_required "const fido_cbor_info_t *ci"
.Sh DESCRIPTION
The
.Fn fido_cbor_info_new
function returns a pointer to a newly allocated, empty
.Vt fido_cbor_info_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_cbor_info_free
function releases the memory backing
.Fa *ci_p ,
where
.Fa *ci_p
must have been previously allocated by
.Fn fido_cbor_info_new .
On return,
.Fa *ci_p
is set to NULL.
Either
.Fa ci_p
or
.Fa *ci_p
may be NULL, in which case
.Fn fido_cbor_info_free
is a NOP.
.Pp
The
.Fn fido_dev_get_cbor_info
function transmits a
.Dv CTAP_CBOR_GETINFO
command to
.Fa dev
and fills
.Fa ci
with attributes retrieved from the command's response.
The
.Fn fido_dev_get_cbor_info
function may block.
.Pp
The
.Fn fido_cbor_info_aaguid_ptr ,
.Fn fido_cbor_info_extensions_ptr ,
.Fn fido_cbor_info_protocols_ptr ,
.Fn fido_cbor_info_transports_ptr ,
and
.Fn fido_cbor_info_versions_ptr
functions return pointers to the authenticator attestation GUID,
supported extensions, PIN protocol, transports, and CTAP version
strings of
.Fa ci .
The corresponding length of a given attribute can be
obtained by
.Fn fido_cbor_info_aaguid_len ,
.Fn fido_cbor_info_extensions_len ,
.Fn fido_cbor_info_protocols_len ,
.Fn fido_cbor_info_transports_len ,
or
.Fn fido_cbor_info_versions_len .
.Pp
The
.Fn fido_cbor_info_options_name_ptr
and
.Fn fido_cbor_info_options_value_ptr
functions return pointers to the array of option names and their
respective values
in
.Fa ci .
The length of the options array is returned by
.Fn fido_cbor_info_options_len .
.Pp
The
.Fn fido_cbor_info_algorithm_count
function returns the number of supported algorithms in
.Fa ci .
The
.Fn fido_cbor_info_algorithm_cose
function returns the COSE identifier of algorithm
.Fa idx
in
.Fa ci ,
or 0 if the COSE identifier is unknown or unset.
The
.Fn fido_cbor_info_algorithm_type
function returns the type of algorithm
.Fa idx
in
.Fa ci ,
or NULL if the type is unset.
Please note that the first algorithm in
.Fa ci
has an
.Fa idx
(index) value of 0.
.Pp
The
.Fn fido_cbor_info_certs_name_ptr
and
.Fn fido_cbor_info_certs_value_ptr
functions return pointers to the array of certification names and their
respective values
in
.Fa ci .
The length of the certifications array is returned by
.Fn fido_cbor_info_certs_len .
.Pp
The
.Fn fido_cbor_info_maxmsgsiz
function returns the maximum message size attribute of
.Fa ci .
.Pp
The
.Fn fido_cbor_info_maxcredbloblen
function returns the maximum
.Dq credBlob
length in bytes supported by the authenticator as reported in
.Fa ci .
.Pp
The
.Fn fido_cbor_info_maxcredcntlst
function returns the maximum supported number of credentials in
a single credential ID list as reported in
.Fa ci .
.Pp
The
.Fn fido_cbor_info_maxcredidlen
function returns the maximum supported length of a credential ID
as reported in
.Fa ci .
.Pp
The
.Fn fido_cbor_info_maxrpid_minpinlen
function returns the maximum number of RP IDs that may be passed to
.Xr fido_dev_set_pin_minlen_rpid 3 ,
as reported in
.Fa ci .
The minimum PIN length attribute is a CTAP 2.1 addition.
If the attribute is not advertised by the authenticator, the
.Fn fido_cbor_info_maxrpid_minpinlen
function returns zero.
.Pp
The
.Fn fido_cbor_info_maxlargeblob
function returns the maximum length in bytes of an authenticator's
serialized largeBlob array as reported in
.Fa ci .
.Pp
The
.Fn fido_cbor_info_minpinlen
function returns the minimum PIN length enforced by the
authenticator as reported in
.Fa ci .
The minimum PIN length attribute is a CTAP 2.1 addition.
If the attribute is not advertised by the authenticator, the
.Fn fido_cbor_info_minpinlen
function returns zero.
.Pp
The
.Fn fido_cbor_info_fwversion
function returns the firmware version attribute of
.Fa ci .
.Pp
The
.Fn fido_cbor_info_uv_attempts
function returns the number of UV attempts that the platform may
attempt before falling back to PIN authentication.
If 1, then all
.Xr fido_dev_get_uv_retry_count 3
retries are handled internally by the authenticator and the
platform may only attempt non-PIN UV once.
The UV attempts attribute is a CTAP 2.1 addition.
If the attribute is not advertised by the authenticator,
the
.Fn fido_cbor_info_uv_attempts
function returns zero.
.Pp
The
.Fn fido_cbor_info_uv_modality
function returns a bitmask representing different UV modes
supported by the authenticator, as defined in the FIDO Registry of
Predefined Values and reported in
.Fa ci .
See the
.Em FIDO_UV_MODE_*
definitions in
.In fido/param.h
for the set of values defined by libfido2 and a brief description
of each.
The UV modality attribute is a CTAP 2.1 addition.
If the attribute is not advertised by the authenticator, the
.Fn fido_cbor_info_uv_modality
function returns zero.
.Pp
The
.Fn fido_cbor_info_rk_remaining
function returns the estimated number of additional
resident/discoverable credentials that can be stored on the
authenticator as reported in
.Fa ci .
The estimated number of remaining resident credentials is a
CTAP 2.1 addition.
If the attribute is not advertised by the authenticator, the
.Fn fido_cbor_info_rk_remaining
function returns -1.
.Pp
The
.Fn fido_cbor_info_new_pin_required
function returns whether a new PIN is required by the authenticator
as reported in
.Fa ci .
If
.Fn fido_cbor_info_new_pin_required
returns true, operations requiring PIN authentication will fail
until a new PIN is set on the authenticator.
The
.Xr fido_dev_set_pin 3
function can be used to set a new PIN.
.Pp
A complete example of how to use these functions can be found in the
.Pa example/info.c
file shipped with
.Em libfido2 .
.Sh RETURN VALUES
The
.Fn fido_cbor_info_aaguid_ptr ,
.Fn fido_cbor_info_extensions_ptr ,
.Fn fido_cbor_info_protocols_ptr ,
.Fn fido_cbor_info_transports_ptr ,
.Fn fido_cbor_info_versions_ptr ,
.Fn fido_cbor_info_options_name_ptr ,
and
.Fn fido_cbor_info_options_value_ptr
functions return NULL if the respective field in
.Fa ci
is absent.
If not NULL, returned pointers are guaranteed to exist until any
API function that takes
.Fa ci
without the
.Em const
qualifier is invoked.
.Sh SEE ALSO
.Xr fido_dev_get_uv_retry_count 3 ,
.Xr fido_dev_open 3 ,
.Xr fido_dev_set_pin 3 ,
.Xr fido_dev_set_pin_minlen_rpid 3
.Rs
.%D 2021-05-25
.%O Review Draft, Version 2.2
.%Q FIDO Alliance
.%R FIDO Registry of Predefined Values
.%U https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-rd-20210525.html
.Re

93
man/fido_cred_exclude.3 Normal file
View File

@@ -0,0 +1,93 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: December 2 2022 $
.Dt FIDO_CRED_EXCLUDE 3
.Os
.Sh NAME
.Nm fido_cred_exclude ,
.Nm fido_cred_empty_exclude_list
.Nd manage exclude lists in a FIDO2 credential
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_cred_exclude "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_empty_exclude_list "fido_cred_t *cred"
.Sh DESCRIPTION
The
.Fn fido_cred_exclude
function adds
.Fa ptr
to the list of credentials excluded by
.Fa cred ,
where
.Fa ptr
points to a credential ID of
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
If
.Fn fido_cred_exclude
fails, the existing list of excluded credentials is preserved.
.Pp
If
.Nm
returns success and
.Fa cred
is later passed to
.Xr fido_dev_make_cred 3
on a device that contains the credential
denoted by
.Fa ptr ,
then
.Xr fido_dev_make_cred 3
will fail.
.Pp
For the format of a FIDO2 credential ID, please refer to the
Web Authentication (webauthn) standard.
.Pp
The
.Fn fido_cred_empty_exclude_list
function empties the list of credentials excluded by
.Fa cred .
.Sh RETURN VALUES
The error codes returned by
.Fn fido_cred_exclude
and
.Fn fido_cred_empty_exclude_list
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cred_new 3 ,
.Xr fido_cred_set_authdata 3 ,
.Xr fido_dev_make_cred 3

356
man/fido_cred_new.3 Normal file
View File

@@ -0,0 +1,356 @@
.\" Copyright (c) 2018-2024 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 23 2018 $
.Dt FIDO_CRED_NEW 3
.Os
.Sh NAME
.Nm fido_cred_new ,
.Nm fido_cred_free ,
.Nm fido_cred_pin_minlen ,
.Nm fido_cred_prot ,
.Nm fido_cred_fmt ,
.Nm fido_cred_rp_id ,
.Nm fido_cred_rp_name ,
.Nm fido_cred_user_name ,
.Nm fido_cred_display_name ,
.Nm fido_cred_authdata_ptr ,
.Nm fido_cred_authdata_raw_ptr ,
.Nm fido_cred_clientdata_hash_ptr ,
.Nm fido_cred_id_ptr ,
.Nm fido_cred_aaguid_ptr ,
.Nm fido_cred_largeblob_key_ptr ,
.Nm fido_cred_pubkey_ptr ,
.Nm fido_cred_sig_ptr ,
.Nm fido_cred_user_id_ptr ,
.Nm fido_cred_x5c_list_count ,
.Nm fido_cred_x5c_list_ptr ,
.Nm fido_cred_x5c_ptr ,
.Nm fido_cred_attstmt_ptr ,
.Nm fido_cred_authdata_len ,
.Nm fido_cred_authdata_raw_len ,
.Nm fido_cred_clientdata_hash_len ,
.Nm fido_cred_id_len ,
.Nm fido_cred_aaguid_len ,
.Nm fido_cred_largeblob_key_len ,
.Nm fido_cred_pubkey_len ,
.Nm fido_cred_sig_len ,
.Nm fido_cred_user_id_len ,
.Nm fido_cred_x5c_list_len ,
.Nm fido_cred_x5c_len ,
.Nm fido_cred_attstmt_len ,
.Nm fido_cred_type ,
.Nm fido_cred_flags ,
.Nm fido_cred_sigcount
.Nd FIDO2 credential API
.Sh SYNOPSIS
.In fido.h
.Ft fido_cred_t *
.Fn fido_cred_new "void"
.Ft void
.Fn fido_cred_free "fido_cred_t **cred_p"
.Ft size_t
.Fn fido_cred_pin_minlen "const fido_cred_t *cred"
.Ft int
.Fn fido_cred_prot "const fido_cred_t *cred"
.Ft const char *
.Fn fido_cred_fmt "const fido_cred_t *cred"
.Ft const char *
.Fn fido_cred_rp_id "const fido_cred_t *cred"
.Ft const char *
.Fn fido_cred_rp_name "const fido_cred_t *cred"
.Ft const char *
.Fn fido_cred_user_name "const fido_cred_t *cred"
.Ft const char *
.Fn fido_cred_display_name "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_authdata_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_authdata_raw_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_clientdata_hash_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_id_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_aaguid_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_largeblob_key_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_pubkey_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_sig_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_user_id_ptr "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_x5c_list_count "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_x5c_list_ptr "const fido_cred_t *cred" "size_t idx"
.Ft const unsigned char *
.Fn fido_cred_x5c_ptr "const fido_cred_t *cred"
.Ft const unsigned char *
.Fn fido_cred_attstmt_ptr "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_authdata_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_authdata_raw_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_clientdata_hash_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_id_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_aaguid_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_largeblob_key_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_pubkey_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_sig_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_user_id_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_x5c_list_len "const fido_cred_t *cred" "size_t idx"
.Ft size_t
.Fn fido_cred_x5c_len "const fido_cred_t *cred"
.Ft size_t
.Fn fido_cred_attstmt_len "const fido_cred_t *cred"
.Ft int
.Fn fido_cred_type "const fido_cred_t *cred"
.Ft uint8_t
.Fn fido_cred_flags "const fido_cred_t *cred"
.Ft uint32_t
.Fn fido_cred_sigcount "const fido_cred_t *cred"
.Sh DESCRIPTION
FIDO2 credentials are abstracted in
.Em libfido2
by the
.Vt fido_cred_t
type.
The functions described in this page allow a
.Vt fido_cred_t
type to be allocated, deallocated, and inspected.
For other operations on
.Vt fido_cred_t ,
please refer to
.Xr fido_cred_set_authdata 3 ,
.Xr fido_cred_exclude 3 ,
.Xr fido_cred_verify 3 ,
and
.Xr fido_dev_make_cred 3 .
.Pp
The
.Fn fido_cred_new
function returns a pointer to a newly allocated, empty
.Vt fido_cred_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_cred_free
function releases the memory backing
.Fa *cred_p ,
where
.Fa *cred_p
must have been previously allocated by
.Fn fido_cred_new .
On return,
.Fa *cred_p
is set to NULL.
Either
.Fa cred_p
or
.Fa *cred_p
may be NULL, in which case
.Fn fido_cred_free
is a NOP.
.Pp
If the CTAP 2.1
.Dv FIDO_EXT_MINPINLEN
extension is enabled on
.Fa cred ,
then the
.Fn fido_cred_pin_minlen
function returns the minimum PIN length of
.Fa cred .
Otherwise,
.Fn fido_cred_pin_minlen
returns zero.
See
.Xr fido_cred_set_pin_minlen 3
on how to enable this extension.
.Pp
If the CTAP 2.1
.Dv FIDO_EXT_CRED_PROTECT
extension is enabled on
.Fa cred ,
then the
.Fn fido_cred_prot
function returns the protection of
.Fa cred .
Otherwise,
.Fn fido_cred_prot
returns zero.
See
.Xr fido_cred_set_prot 3
for the protection policies understood by
.Em libfido2 .
.Pp
The
.Fn fido_cred_fmt
function returns a pointer to a NUL-terminated string containing
the attestation statement format identifier of
.Fa cred ,
or NULL if
.Fa cred
does not have a format set.
.Pp
The
.Fn fido_cred_rp_id ,
.Fn fido_cred_rp_name ,
.Fn fido_cred_user_name ,
and
.Fn fido_cred_display_name
functions return pointers to NUL-terminated strings holding the
relying party ID, relying party name, user name, and user display
name attributes of
.Fa cred ,
or NULL if the respective entry is not set.
.Pp
The
.Fn fido_cred_authdata_ptr ,
.Fn fido_cred_authdata_raw_ptr ,
.Fn fido_cred_clientdata_hash_ptr ,
.Fn fido_cred_id_ptr ,
.Fn fido_cred_aaguid_ptr ,
.Fn fido_cred_largeblob_key_ptr ,
.Fn fido_cred_pubkey_ptr ,
.Fn fido_cred_sig_ptr ,
.Fn fido_cred_user_id_ptr ,
.Fn fido_cred_x5c_ptr ,
and
.Fn fido_cred_attstmt_ptr
functions return pointers to the CBOR-encoded and raw authenticator
data, client data hash, ID, authenticator attestation GUID,
.Dq largeBlobKey ,
public key, signature, user ID, x509 leaf certificate, and attestation
statement parts of
.Fa cred ,
or NULL if the respective entry is not set.
.Pp
The corresponding length can be obtained by
.Fn fido_cred_authdata_len ,
.Fn fido_cred_authdata_raw_len ,
.Fn fido_cred_clientdata_hash_len ,
.Fn fido_cred_id_len ,
.Fn fido_cred_aaguid_len ,
.Fn fido_cred_largeblob_key_len ,
.Fn fido_cred_pubkey_len ,
.Fn fido_cred_sig_len ,
.Fn fido_cred_user_id_len ,
.Fn fido_cred_x5c_len ,
and
.Fn fido_cred_attstmt_len .
.Pp
The
.Fn fido_cred_x5c_list_count
function returns the length of the x509 certificate chain in
.Fa cred
and the
.Fn fido_cred_x5c_list_ptr
and
.Fn fido_cred_x5c_list_len
functions return a pointer to and length of the x509 certificate at index
.Fa idx
respectively.
Please note that the leaf certificate has an
.Fa idx
(index) value of 0 and calling
.Fn fido_cred_x5c_list_ptr cred 0
and
.Fn fido_cred_x5c_list_len cred 0
is equivalent to
.Fn fido_cred_x5c_ptr cred
and
.Fn fido_cred_x5c_len cred
respectively.
If
.Fa idx
exceeds the return value of
.Fn fido_cred_x5c_list_count ,
.Fn fido_cred_x5c_list_ptr
returns NULL and
.Fn fido_cred_x5c_list_len
returns 0.
.Pp
The authenticator data, x509 certificate, and signature parts of a
credential are typically passed to a FIDO2 server for verification.
.Pp
The
.Fn fido_cred_type
function returns the COSE algorithm of
.Fa cred .
.Pp
The
.Fn fido_cred_flags
function returns the authenticator data flags of
.Fa cred .
.Pp
The
.Fn fido_cred_sigcount
function returns the authenticator data signature counter of
.Fa cred .
.Sh RETURN VALUES
The authenticator data returned by
.Fn fido_cred_authdata_ptr
is a CBOR-encoded byte string, as obtained from the authenticator.
To obtain the decoded byte string, use
.Fn fido_cred_authdata_raw_ptr .
.Pp
If not NULL, pointers returned by
.Fn fido_cred_fmt ,
.Fn fido_cred_authdata_ptr ,
.Fn fido_cred_clientdata_hash_ptr ,
.Fn fido_cred_id_ptr ,
.Fn fido_cred_aaguid_ptr ,
.Fn fido_cred_largeblob_key_ptr ,
.Fn fido_cred_pubkey_ptr ,
.Fn fido_cred_sig_ptr ,
and
.Fn fido_cred_x5c_ptr
are guaranteed to exist until any API function that takes
.Fa cred
without the
.Em const
qualifier is invoked.
.Sh SEE ALSO
.Xr fido_cred_exclude 3 ,
.Xr fido_cred_set_authdata 3 ,
.Xr fido_cred_set_pin_minlen 3 ,
.Xr fido_cred_set_prot 3 ,
.Xr fido_cred_verify 3 ,
.Xr fido_credman_metadata_new 3 ,
.Xr fido_dev_largeblob_get 3 ,
.Xr fido_dev_make_cred 3

402
man/fido_cred_set_authdata.3 Normal file
View File

@@ -0,0 +1,402 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt FIDO_CRED_SET_AUTHDATA 3
.Os
.Sh NAME
.Nm fido_cred_set_authdata ,
.Nm fido_cred_set_authdata_raw ,
.Nm fido_cred_set_attstmt ,
.Nm fido_cred_set_attobj ,
.Nm fido_cred_set_x509 ,
.Nm fido_cred_set_sig ,
.Nm fido_cred_set_id ,
.Nm fido_cred_set_clientdata ,
.Nm fido_cred_set_clientdata_hash ,
.Nm fido_cred_set_rp ,
.Nm fido_cred_set_user ,
.Nm fido_cred_set_extensions ,
.Nm fido_cred_set_blob ,
.Nm fido_cred_set_pin_minlen ,
.Nm fido_cred_set_prot ,
.Nm fido_cred_set_rk ,
.Nm fido_cred_set_uv ,
.Nm fido_cred_set_fmt ,
.Nm fido_cred_set_type
.Nd set parameters of a FIDO2 credential
.Sh SYNOPSIS
.In fido.h
.Bd -literal
typedef enum {
FIDO_OPT_OMIT = 0, /* use authenticator's default */
FIDO_OPT_FALSE, /* explicitly set option to false */
FIDO_OPT_TRUE, /* explicitly set option to true */
} fido_opt_t;
.Ed
.Ft int
.Fn fido_cred_set_authdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_authdata_raw "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_attstmt "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_attobj "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_id "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_clientdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_clientdata_hash "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_rp "fido_cred_t *cred" "const char *id" "const char *name"
.Ft int
.Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon"
.Ft int
.Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags"
.Ft int
.Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
.Ft int
.Fn fido_cred_set_pin_minlen "fido_cred_t *cred" "size_t len"
.Ft int
.Fn fido_cred_set_prot "fido_cred_t *cred" "int prot"
.Ft int
.Fn fido_cred_set_rk "fido_cred_t *cred" "fido_opt_t rk"
.Ft int
.Fn fido_cred_set_uv "fido_cred_t *cred" "fido_opt_t uv"
.Ft int
.Fn fido_cred_set_fmt "fido_cred_t *cred" "const char *ptr"
.Ft int
.Fn fido_cred_set_type "fido_cred_t *cred" "int cose_alg"
.Sh DESCRIPTION
The
.Nm
set of functions define the various parameters of a FIDO2
credential, allowing a
.Fa fido_cred_t
type to be prepared for a subsequent call to
.Xr fido_dev_make_cred 3
or
.Xr fido_cred_verify 3 .
For the complete specification of a FIDO2 credential and the format
of its constituent parts, please refer to the Web Authentication
(webauthn) standard.
.Pp
The
.Fn fido_cred_set_authdata ,
.Fn fido_cred_set_attstmt ,
.Fn fido_cred_set_attobj ,
.Fn fido_cred_set_x509 ,
.Fn fido_cred_set_sig ,
.Fn fido_cred_set_id ,
and
.Fn fido_cred_set_clientdata_hash
functions set the authenticator data, attestation statement,
attestation object, attestation certificate, attestation signature,
id, and client data hash parts of
.Fa cred
to
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
A copy of
.Fa ptr
is made, and no references to the passed pointer are kept.
.Pp
The authenticator data passed to
.Fn fido_cred_set_authdata
must be a CBOR-encoded byte string, as obtained from
.Fn fido_cred_authdata_ptr .
Alternatively, a raw binary blob may be passed to
.Fn fido_cred_set_authdata_raw .
An application calling
.Fn fido_cred_set_authdata
does not need to call
.Fn fido_cred_set_id .
The latter is meant to be used in contexts where the
credential's authenticator data is not available.
.Pp
The attestation statement passed to
.Fn fido_cred_set_attstmt
must be a CBOR-encoded map, as obtained from
.Fn fido_cred_attstmt_ptr .
An application calling
.Fn fido_cred_set_attstmt
does not need to call
.Fn fido_cred_set_x509
or
.Fn fido_cred_set_sig .
The latter two are meant to be used in contexts where the
credential's complete attestation statement is not available or
required.
.Pp
The attestation object passed to
.Fn fido_cred_set_attobj
must be a CBOR-encoded map containing
.Dq authData ,
.Dq fmt ,
and
.Dq attStmt .
An application calling
.Fn fido_cred_set_attobj
does not need to call
.Fn fido_cred_set_fmt ,
.Fn fido_cred_set_attstmt ,
.Fn fido_cred_set_authdata ,
or
.Fn fido_cred_set_authdata_raw .
.Pp
The
.Fn fido_cred_set_clientdata
function allows an application to set the client data hash of
.Fa cred
by specifying the credential's unhashed client data.
This is required by Windows Hello, which calculates the client data
hash internally.
For compatibility with Windows Hello, applications should use
.Fn fido_cred_set_clientdata
instead of
.Fn fido_cred_set_clientdata_hash .
.Pp
The
.Fn fido_cred_set_rp
function sets the relying party
.Fa id
and
.Fa name
parameters of
.Fa cred ,
where
.Fa id
and
.Fa name
are NUL-terminated UTF-8 strings.
The contents of
.Fa id
and
.Fa name
are copied, and no references to the passed pointers are kept.
.Pp
The
.Fn fido_cred_set_user
function sets the user attributes of
.Fa cred ,
where
.Fa user_id
points to
.Fa user_id_len
bytes and
.Fa name ,
.Fa display_name ,
and
.Fa icon
are NUL-terminated UTF-8 strings.
The contents of
.Fa user_id ,
.Fa name ,
.Fa display_name ,
and
.Fa icon
are copied, and no references to the passed pointers are kept.
Previously set user attributes are flushed.
The
.Fa user_id ,
.Fa name ,
.Fa display_name ,
and
.Fa icon
parameters may be NULL.
.Pp
The
.Fn fido_cred_set_extensions
function sets the extensions of
.Fa cred
to the bitmask
.Fa flags .
At the moment, only the
.Dv FIDO_EXT_CRED_BLOB ,
.Dv FIDO_EXT_CRED_PROTECT ,
.Dv FIDO_EXT_HMAC_SECRET ,
.Dv FIDO_EXT_MINPINLEN ,
and
.Dv FIDO_EXT_LARGEBLOB_KEY
extensions are supported.
If
.Fa flags
is zero, the extensions of
.Fa cred
are cleared.
.Pp
The
.Fn fido_cred_set_blob
function sets the
.Dq credBlob
to be stored with
.Fa cred
to the data pointed to by
.Fa ptr ,
which must be
.Fa len
bytes long.
.Pp
The
.Fn fido_cred_set_pin_minlen
function enables the CTAP 2.1
.Dv FIDO_EXT_MINPINLEN
extension on
.Fa cred
and sets the expected minimum PIN length of
.Fa cred
to
.Fa len ,
where
.Fa len
is greater than zero.
If
.Fa len
is zero, the
.Dv FIDO_EXT_MINPINLEN
extension is disabled on
.Fa cred .
.Pp
The
.Fn fido_cred_set_prot
function enables the CTAP 2.1
.Dv FIDO_EXT_CRED_PROTECT
extension on
.Fa cred
and sets the protection of
.Fa cred
to the scalar
.Fa prot .
At the moment, only the
.Dv FIDO_CRED_PROT_UV_OPTIONAL ,
.Dv FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID ,
and
.Dv FIDO_CRED_PROT_UV_REQUIRED
protections are supported.
If
.Fa prot
is zero, the protection of
.Fa cred
is cleared.
.Pp
The
.Fn fido_cred_set_rk
and
.Fn fido_cred_set_uv
functions set the
.Em rk
.Pq resident/discoverable key
and
.Em uv
.Pq user verification
attributes of
.Fa cred .
Both are
.Dv FIDO_OPT_OMIT
by default, allowing the authenticator to use its default settings.
.Pp
The
.Fn fido_cred_set_fmt
function sets the attestation statement format identifier of
.Fa cred
to
.Fa fmt ,
where
.Fa fmt
must be
.Vt "packed"
.Pq the format used in FIDO2 ,
.Vt "fido-u2f"
.Pq the format used in U2F ,
.Vt "tpm"
.Pq the format used by TPM-based authenticators ,
or
.Vt "none" .
A copy of
.Fa fmt
is made, and no references to the passed pointer are kept.
Note that not all authenticators support FIDO2 and therefore may only
be able to generate
.Vt fido-u2f
attestation statements.
.Pp
The
.Fn fido_cred_set_type
function sets the type of
.Fa cred to
.Fa cose_alg ,
where
.Fa cose_alg
is
.Dv COSE_ES256 ,
.Dv COSE_ES384 ,
.Dv COSE_RS256 ,
or
.Dv COSE_EDDSA .
The type of a credential may only be set once.
Note that not all authenticators support COSE_RS256, COSE_ES384, or
COSE_EDDSA.
.Pp
Use of the
.Nm
set of functions may happen in two distinct situations:
when generating a new credential on a FIDO2 device, prior to
.Xr fido_dev_make_cred 3
(i.e, in the context of a FIDO2 client), or when validating
a generated credential using
.Xr fido_cred_verify 3
(i.e, in the context of a FIDO2 server).
.Pp
For a complete description of the generation of a FIDO2 credential
and its verification, please refer to the FIDO2 specification.
A concrete utilisation example of the
.Nm
set of functions can be found in the
.Pa cred.c
example shipped with
.Em libfido2 .
.Sh RETURN VALUES
The error codes returned by the
.Nm
set of functions are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cred_exclude 3 ,
.Xr fido_cred_verify 3 ,
.Xr fido_dev_make_cred 3

114
man/fido_cred_verify.3 Normal file
View File

@@ -0,0 +1,114 @@
.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 23 2018 $
.Dt FIDO_CRED_VERIFY 3
.Os
.Sh NAME
.Nm fido_cred_verify ,
.Nm fido_cred_verify_self
.Nd verify the attestation signature of a FIDO2 credential
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_cred_verify "const fido_cred_t *cred"
.Ft int
.Fn fido_cred_verify_self "const fido_cred_t *cred"
.Sh DESCRIPTION
The
.Fn fido_cred_verify
and
.Fn fido_cred_verify_self
functions verify whether the attestation signature contained in
.Fa cred
matches the attributes of the credential.
Before using
.Fn fido_cred_verify
or
.Fn fido_cred_verify_self
in a sensitive context, the reader is strongly encouraged to make
herself familiar with the FIDO2 credential attestation process
as defined in the Web Authentication (webauthn) standard.
.Pp
The
.Fn fido_cred_verify
function verifies whether the client data hash, relying party ID,
credential ID, type, protection policy, minimum PIN length, and
resident/discoverable key and user verification attributes of
.Fa cred
have been attested by the holder of the private counterpart of
the public key contained in the credential's x509 certificate.
.Pp
Please note that the x509 certificate itself is not verified.
.Pp
The attestation statement formats supported by
.Fn fido_cred_verify
are
.Em packed ,
.Em fido-u2f ,
and
.Em tpm .
The attestation type implemented by
.Fn fido_cred_verify
is
.Em Basic Attestation .
.Pp
The
.Fn fido_cred_verify_self
function verifies whether the client data hash, relying party ID,
credential ID, type, protection policy, minimum PIN length, and
resident/discoverable key and user verification attributes of
.Fa cred
have been attested by the holder of the credential's private key.
.Pp
The attestation statement formats supported by
.Fn fido_cred_verify_self
are
.Em packed
and
.Em fido-u2f .
The attestation type implemented by
.Fn fido_cred_verify_self
is
.Em Self Attestation .
.Pp
Other attestation formats and types are not supported.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_cred_verify
and
.Fn fido_cred_verify_self
are defined in
.In fido/err.h .
If
.Fa cred
passes verification, then
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cred_new 3 ,
.Xr fido_cred_set_authdata 3

349
man/fido_credman_metadata_new.3 Normal file
View File

@@ -0,0 +1,349 @@
.\" Copyright (c) 2019-2021 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: June 28 2019 $
.Dt FIDO_CREDMAN_METADATA_NEW 3
.Os
.Sh NAME
.Nm fido_credman_metadata_new ,
.Nm fido_credman_rk_new ,
.Nm fido_credman_rp_new ,
.Nm fido_credman_metadata_free ,
.Nm fido_credman_rk_free ,
.Nm fido_credman_rp_free ,
.Nm fido_credman_rk_existing ,
.Nm fido_credman_rk_remaining ,
.Nm fido_credman_rk ,
.Nm fido_credman_rk_count ,
.Nm fido_credman_rp_id ,
.Nm fido_credman_rp_name ,
.Nm fido_credman_rp_count ,
.Nm fido_credman_rp_id_hash_ptr ,
.Nm fido_credman_rp_id_hash_len ,
.Nm fido_credman_get_dev_metadata ,
.Nm fido_credman_get_dev_rk ,
.Nm fido_credman_set_dev_rk ,
.Nm fido_credman_del_dev_rk ,
.Nm fido_credman_get_dev_rp
.Nd FIDO2 credential management API
.Sh SYNOPSIS
.In fido.h
.In fido/credman.h
.Ft fido_credman_metadata_t *
.Fn fido_credman_metadata_new "void"
.Ft fido_credman_rk_t *
.Fn fido_credman_rk_new "void"
.Ft fido_credman_rp_t *
.Fn fido_credman_rp_new "void"
.Ft void
.Fn fido_credman_metadata_free "fido_credman_metadata_t **metadata_p"
.Ft void
.Fn fido_credman_rk_free "fido_credman_rk_t **rk_p"
.Ft void
.Fn fido_credman_rp_free "fido_credman_rp_t **rp_p"
.Ft uint64_t
.Fn fido_credman_rk_existing "const fido_credman_metadata_t *metadata"
.Ft uint64_t
.Fn fido_credman_rk_remaining "const fido_credman_metadata_t *metadata"
.Ft const fido_cred_t *
.Fn fido_credman_rk "const fido_credman_rk_t *rk" "size_t idx"
.Ft size_t
.Fn fido_credman_rk_count "const fido_credman_rk_t *rk"
.Ft const char *
.Fn fido_credman_rp_id "const fido_credman_rp_t *rp" "size_t idx"
.Ft const char *
.Fn fido_credman_rp_name "const fido_credman_rp_t *rp" "size_t idx"
.Ft size_t
.Fn fido_credman_rp_count "const fido_credman_rp_t *rp"
.Ft const unsigned char *
.Fn fido_credman_rp_id_hash_ptr "const fido_credman_rp_t *rp" "size_t idx"
.Ft size_t
.Fn fido_credman_rp_id_hash_len "const fido_credman_rp_t *" "size_t idx"
.Ft int
.Fn fido_credman_get_dev_metadata "fido_dev_t *dev" "fido_credman_metadata_t *metadata" "const char *pin"
.Ft int
.Fn fido_credman_get_dev_rk "fido_dev_t *dev" "const char *rp_id" "fido_credman_rk_t *rk" "const char *pin"
.Ft int
.Fn fido_credman_set_dev_rk "fido_dev_t *dev" "fido_cred_t *cred" "const char *pin"
.Ft int
.Fn fido_credman_del_dev_rk "fido_dev_t *dev" "const unsigned char *cred_id" "size_t cred_id_len" "const char *pin"
.Ft int
.Fn fido_credman_get_dev_rp "fido_dev_t *dev" "fido_credman_rp_t *rp" "const char *pin"
.Sh DESCRIPTION
The credential management API of
.Em libfido2
allows resident credentials on a FIDO2 authenticator to be listed,
inspected, modified, and removed.
Please note that not all FIDO2 authenticators support credential
management.
To obtain information on what an authenticator supports, please
refer to
.Xr fido_cbor_info_new 3 .
.Pp
The
.Vt fido_credman_metadata_t
type abstracts credential management metadata.
.Pp
The
.Fn fido_credman_metadata_new
function returns a pointer to a newly allocated, empty
.Vt fido_credman_metadata_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_credman_metadata_free
function releases the memory backing
.Fa *metadata_p ,
where
.Fa *metadata_p
must have been previously allocated by
.Fn fido_credman_metadata_new .
On return,
.Fa *metadata_p
is set to NULL.
Either
.Fa metadata_p
or
.Fa *metadata_p
may be NULL, in which case
.Fn fido_credman_metadata_free
is a NOP.
.Pp
The
.Fn fido_credman_get_dev_metadata
function populates
.Fa metadata
with information retrieved from
.Fa dev .
A valid
.Fa pin
must be provided.
.Pp
The
.Fn fido_credman_rk_existing
function inspects
.Fa metadata
and returns the number of resident credentials on the
authenticator.
The
.Fn fido_credman_rk_remaining
function inspects
.Fa metadata
and returns the estimated number of resident credentials that can
be created on the authenticator.
.Pp
The
.Vt fido_credman_rk_t
type abstracts the set of resident credentials belonging to a
given relying party.
.Pp
The
.Fn fido_credman_rk_new
function returns a pointer to a newly allocated, empty
.Vt fido_credman_rk_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_credman_rk_free
function releases the memory backing
.Fa *rk_p ,
where
.Fa *rk_p
must have been previously allocated by
.Fn fido_credman_rk_new .
On return,
.Fa *rk_p
is set to NULL.
Either
.Fa rk_p
or
.Fa *rk_p
may be NULL, in which case
.Fn fido_credman_rk_free
is a NOP.
.Pp
The
.Fn fido_credman_get_dev_rk
function populates
.Fa rk
with the set of resident credentials belonging to
.Fa rp_id
in
.Fa dev .
A valid
.Fa pin
must be provided.
.Pp
The
.Fn fido_credman_rk_count
function returns the number of resident credentials in
.Fa rk .
The
.Fn fido_credman_rk
function returns a pointer to the credential at index
.Fa idx
in
.Fa rk .
Please note that the first credential in
.Fa rk
has an
.Fa idx
(index) value of 0.
.Pp
The
.Fn fido_credman_set_dev_rk
function updates the credential pointed to by
.Fa cred
in
.Fa dev .
The credential id and user id attributes of
.Fa cred
must be set.
See
.Xr fido_cred_set_id 3
and
.Xr fido_cred_set_user 3
for details.
Only a credential's user attributes (name, display name)
may be updated at this time.
.Pp
The
.Fn fido_credman_del_dev_rk
function deletes the resident credential identified by
.Fa cred_id
from
.Fa dev ,
where
.Fa cred_id
points to
.Fa cred_id_len
bytes.
A valid
.Fa pin
must be provided.
.Pp
The
.Vt fido_credman_rp_t
type abstracts information about a relying party.
.Pp
The
.Fn fido_credman_rp_new
function returns a pointer to a newly allocated, empty
.Vt fido_credman_rp_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_credman_rp_free
function releases the memory backing
.Fa *rp_p ,
where
.Fa *rp_p
must have been previously allocated by
.Fn fido_credman_rp_new .
On return,
.Fa *rp_p
is set to NULL.
Either
.Fa rp_p
or
.Fa *rp_p
may be NULL, in which case
.Fn fido_credman_rp_free
is a NOP.
.Pp
The
.Fn fido_credman_get_dev_rp
function populates
.Fa rp
with information about relying parties with resident credentials
in
.Fa dev .
A valid
.Fa pin
must be provided.
.Pp
The
.Fn fido_credman_rp_count
function returns the number of relying parties in
.Fa rp .
.Pp
The
.Fn fido_credman_rp_id
and
.Fn fido_credman_rp_name
functions return pointers to the id and name of relying party
.Fa idx
in
.Fa rp .
If not NULL, the values returned by these functions point to
NUL-terminated UTF-8 strings.
Please note that the first relying party in
.Fa rp
has an
.Fa idx
(index) value of 0.
.Pp
The
.Fn fido_credman_rp_id_hash_ptr
function returns a pointer to the hashed id of relying party
.Fa idx
in
.Fa rp .
The corresponding length can be obtained by
.Fn fido_credman_rp_id_hash_len .
Please note that the first relying party in
.Fa rp
has an
.Fa idx
(index) value of 0.
.Sh RETURN VALUES
The
.Fn fido_credman_get_dev_metadata ,
.Fn fido_credman_get_dev_rk ,
.Fn fido_credman_set_dev_rk ,
.Fn fido_credman_del_dev_rk ,
and
.Fn fido_credman_get_dev_rp
functions return
.Dv FIDO_OK
on success.
On error, a different error code defined in
.In fido/err.h
is returned.
Functions returning pointers are not guaranteed to succeed, and
should have their return values checked for NULL.
.Sh SEE ALSO
.Xr fido_cbor_info_new 3 ,
.Xr fido_cred_new 3 ,
.Xr fido_dev_supports_credman 3
.Sh CAVEATS
Resident credentials are called
.Dq discoverable credentials
in CTAP 2.1.

149
man/fido_dev_enable_entattest.3 Normal file
View File

@@ -0,0 +1,149 @@
.\" Copyright (c) 2020-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: March 30 2022 $
.Dt FIDO_DEV_ENABLE_ENTATTEST 3
.Os
.Sh NAME
.Nm fido_dev_enable_entattest ,
.Nm fido_dev_toggle_always_uv ,
.Nm fido_dev_force_pin_change ,
.Nm fido_dev_set_pin_minlen ,
.Nm fido_dev_set_pin_minlen_rpid
.Nd CTAP 2.1 configuration authenticator API
.Sh SYNOPSIS
.In fido.h
.In fido/config.h
.Ft int
.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin"
.Ft int
.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin"
.Ft int
.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin"
.Ft int
.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin"
.Ft int
.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin"
.Sh DESCRIPTION
The functions described in this page allow configuration of a
CTAP 2.1 authenticator.
.Pp
The
.Fn fido_dev_enable_entattest
function enables the
.Em Enterprise Attestation
feature on
.Fa dev .
.Em Enterprise Attestation
instructs the authenticator to include uniquely identifying
information in subsequent attestation statements.
The
.Fa pin
parameter may be NULL if
.Fa dev
does not have a PIN set.
.Pp
The
.Fn fido_dev_toggle_always_uv
function toggles the
.Dq user verification always
feature on
.Fa dev .
When set, this toggle enforces user verification at the
authenticator level for all known credentials.
If
.Fa dev
supports U2F (CTAP1) and the user verification methods supported by
the authenticator do not allow protection of U2F credentials, the
U2F subsystem will be disabled by the authenticator.
The
.Fa pin
parameter may be NULL if
.Fa dev
does not have a PIN set.
.Pp
The
.Fn fido_dev_force_pin_change
function instructs
.Fa dev
to require a PIN change.
Subsequent PIN authentication attempts against
.Fa dev
will fail until its PIN is changed.
.Pp
The
.Fn fido_dev_set_pin_minlen
function sets the minimum PIN length of
.Fa dev
to
.Fa len .
Minimum PIN lengths may only be increased.
.Pp
The
.Fn fido_dev_set_pin_minlen_rpid
function sets the list of relying party identifiers
.Pq RP IDs
that are allowed to obtain the minimum PIN length of
.Fa dev
through the CTAP 2.1
.Dv FIDO_EXT_MINPINLEN
extension.
The list of RP identifiers is denoted by
.Fa rpid ,
a vector of
.Fa n
NUL-terminated UTF-8 strings.
A copy of
.Fa rpid
is made, and no reference to it or its contents is kept.
The maximum value of
.Fa n
supported by the authenticator can be obtained using
.Xr fido_cbor_info_maxrpid_minpinlen 3 .
.Pp
Configuration settings are reflected in the payload returned by the
authenticator in response to a
.Xr fido_dev_get_cbor_info 3
call.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_dev_enable_entattest ,
.Fn fido_dev_toggle_always_uv ,
.Fn fido_dev_force_pin_change ,
.Fn fido_dev_set_pin_minlen ,
and
.Fn fido_dev_set_pin_minlen_rpid
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cbor_info_maxrpid_minpinlen 3 ,
.Xr fido_cred_pin_minlen 3 ,
.Xr fido_dev_get_cbor_info 3 ,
.Xr fido_dev_reset 3

99
man/fido_dev_get_assert.3 Normal file
View File

@@ -0,0 +1,99 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 24 2018 $
.Dt FIDO_DEV_GET_ASSERT 3
.Os
.Sh NAME
.Nm fido_dev_get_assert
.Nd obtains an assertion from a FIDO2 device
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_get_assert "fido_dev_t *dev" "fido_assert_t *assert" "const char *pin"
.Sh DESCRIPTION
The
.Fn fido_dev_get_assert
function asks the FIDO2 device represented by
.Fa dev
for an assertion according to the following parameters defined in
.Fa assert :
.Pp
.Bl -dash -compact
.It
.Nm relying party ID ;
.It
.Nm client data hash ;
.It
.Nm list of allowed credential IDs ;
.It
.Nm user presence and user verification attributes .
.El
.Pp
See
.Xr fido_assert_set_authdata 3
for information on how these values are set.
.Pp
If a PIN is not needed to authenticate the request against
.Fa dev ,
then
.Fa pin
may be NULL.
Otherwise
.Fa pin
must point to a NUL-terminated UTF-8 string.
.Pp
After a successful call to
.Fn fido_dev_get_assert ,
the
.Xr fido_assert_count 3 ,
.Xr fido_assert_user_display_name 3 ,
.Xr fido_assert_user_icon 3 ,
.Xr fido_assert_user_name 3 ,
.Xr fido_assert_authdata_ptr 3 ,
.Xr fido_assert_user_id_ptr 3 ,
.Xr fido_assert_sig_ptr 3 ,
and
.Xr fido_assert_sigcount 3
functions may be invoked on
.Fa assert
to retrieve the various attributes of the generated assertion.
.Pp
Please note that
.Fn fido_dev_get_assert
is synchronous and will block if necessary.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_dev_get_assert
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_assert_new 3 ,
.Xr fido_assert_set_authdata 3

96
man/fido_dev_get_touch_begin.3 Normal file
View File

@@ -0,0 +1,96 @@
.\" Copyright (c) 2020 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: August 5 2020 $
.Dt FIDO_DEV_GET_TOUCH_BEGIN 3
.Os
.Sh NAME
.Nm fido_dev_get_touch_begin ,
.Nm fido_dev_get_touch_status
.Nd asynchronously wait for touch on a FIDO2 authenticator
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_get_touch_begin "fido_dev_t *dev"
.Ft int
.Fn fido_dev_get_touch_status "fido_dev_t *dev" "int *touched" "int ms"
.Sh DESCRIPTION
The functions described in this page allow an application to
asynchronously wait for touch on a FIDO2 authenticator.
This is useful when multiple authenticators are present and
the application needs to know which one to use.
.Pp
The
.Fn fido_dev_get_touch_begin
function initiates a touch request on
.Fa dev .
.Pp
The
.Fn fido_dev_get_touch_status
function continues an ongoing touch request on
.Fa dev ,
blocking up to
.Fa ms
milliseconds.
On success,
.Fa touched
will be updated to reflect the touch request status.
If
.Fa touched
is 1, the device was touched, and the touch request is
terminated.
If
.Fa touched
is 0, the application may call
.Fn fido_dev_get_touch_status
to continue the touch request, or
.Fn fido_dev_cancel
to terminate it.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_dev_get_touch_begin
and
.Fn fido_dev_get_touch_status
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh EXAMPLES
Please refer to
.Em examples/select.c
in
.Em libfido2's
source tree.
.Sh SEE ALSO
.Xr fido_dev_cancel 3
.Sh CAVEATS
The
.Fn fido_dev_get_touch_status
function will cause a command to be transmitted to U2F
authenticators.
These transmissions should not exceed a frequency of 5Hz.

211
man/fido_dev_info_manifest.3 Normal file
View File

@@ -0,0 +1,211 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: March 30 2022 $
.Dt FIDO_DEV_INFO_MANIFEST 3
.Os
.Sh NAME
.Nm fido_dev_info_manifest ,
.Nm fido_dev_info_new ,
.Nm fido_dev_info_free ,
.Nm fido_dev_info_ptr ,
.Nm fido_dev_info_path ,
.Nm fido_dev_info_product ,
.Nm fido_dev_info_vendor ,
.Nm fido_dev_info_manufacturer_string ,
.Nm fido_dev_info_product_string ,
.Nm fido_dev_info_set
.Nd FIDO2 device discovery functions
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_info_manifest "fido_dev_info_t *devlist" "size_t ilen" "size_t *olen"
.Ft fido_dev_info_t *
.Fn fido_dev_info_new "size_t n"
.Ft void
.Fn fido_dev_info_free "fido_dev_info_t **devlist_p" "size_t n"
.Ft const fido_dev_info_t *
.Fn fido_dev_info_ptr "const fido_dev_info_t *devlist" "size_t i"
.Ft const char *
.Fn fido_dev_info_path "const fido_dev_info_t *di"
.Ft int16_t
.Fn fido_dev_info_product "const fido_dev_info_t *di"
.Ft int16_t
.Fn fido_dev_info_vendor "const fido_dev_info_t *di"
.Ft const char *
.Fn fido_dev_info_manufacturer_string "const fido_dev_info_t *di"
.Ft const char *
.Fn fido_dev_info_product_string "const fido_dev_info_t *di"
.Ft int
.Fn fido_dev_info_set "fido_dev_info_t *devlist" "size_t i" "const char *path" "const char *manufacturer" "const char *product" "const fido_dev_io_t *io" "const fido_dev_transport_t *transport"
.Sh DESCRIPTION
The
.Fn fido_dev_info_manifest
function fills
.Fa devlist
with up to
.Fa ilen
FIDO2 devices found by the underlying operating system.
Currently only USB HID devices are supported.
The number of discovered devices is returned in
.Fa olen ,
where
.Fa olen
is an addressable pointer.
.Pp
The
.Fn fido_dev_info_new
function returns a pointer to a newly allocated, empty device list
with
.Fa n
available slots.
If memory is not available, NULL is returned.
.Pp
The
.Fn fido_dev_info_free
function releases the memory backing
.Fa *devlist_p ,
where
.Fa *devlist_p
must have been previously allocated by
.Fn fido_dev_info_new .
The number
.Fa n
of allocated slots must also be provided.
On return,
.Fa *devlist_p
is set to NULL.
Either
.Fa devlist_p
or
.Fa *devlist_p
may be NULL, in which case
.Fn fido_dev_info_free
is a NOP.
.Pp
The
.Fn fido_dev_info_ptr
function returns a pointer to slot number
.Fa i
of
.Fa devlist .
It is the caller's responsibility to ensure that
.Fa i
is bounded.
Please note that the first slot has index 0.
.Pp
The
.Fn fido_dev_info_path
function returns the filesystem path or subsystem-specific identification
string of
.Fa di .
.Pp
The
.Fn fido_dev_info_product
function returns the product ID of
.Fa di .
.Pp
The
.Fn fido_dev_info_vendor
function returns the vendor ID of
.Fa di .
.Pp
The
.Fn fido_dev_info_manufacturer_string
function returns the manufacturer string of
.Fa di .
If
.Fa di
does not have an associated manufacturer string,
.Fn fido_dev_info_manufacturer_string
returns an empty string.
.Pp
The
.Fn fido_dev_info_product_string
function returns the product string of
.Fa di .
If
.Fa di
does not have an associated product string,
.Fn fido_dev_info_product_string
returns an empty string.
.Pp
An example of how to use the functions described in this document
can be found in the
.Pa examples/manifest.c
file shipped with
.Em libfido2 .
.Pp
The
.Fn fido_dev_info_set
function initializes an entry in a device list allocated by
.Fn fido_dev_info_new
with the specified path, manufacturer, and product strings, and with
the specified I/O handlers and, optionally, transport functions, as
described in
.Xr fido_dev_set_io_functions 3 .
The
.Fa io
argument must be specified; the
.Fa transport
argument may be
.Dv NULL .
The path, I/O handlers, and transport functions will be used
automatically by
.Xr fido_dev_new_with_info 3
and
.Xr fido_dev_open_with_info 3 .
An application can use this, for example, to substitute mock FIDO2
devices in testing for the real ones that
.Fn fido_dev_info_manifest
would discover.
.Sh RETURN VALUES
The
.Fn fido_dev_info_manifest
function always returns
.Dv FIDO_OK .
If a discovery error occurs, the
.Fa olen
pointer is set to 0.
.Pp
On success, the
.Fn fido_dev_info_set
function returns
.Dv FIDO_OK .
On error, a different error code defined in
.In fido/err.h
is returned.
.Pp
The pointers returned by
.Fn fido_dev_info_ptr ,
.Fn fido_dev_info_path ,
.Fn fido_dev_info_manufacturer_string ,
and
.Fn fido_dev_info_product_string
are guaranteed to exist until
.Fn fido_dev_info_free
is called on the corresponding device list.

216
man/fido_dev_largeblob_get.3 Normal file
View File

@@ -0,0 +1,216 @@
.\" Copyright (c) 2020 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: October 26 2020 $
.Dt FIDO_LARGEBLOB_GET 3
.Os
.Sh NAME
.Nm fido_dev_largeblob_get ,
.Nm fido_dev_largeblob_set ,
.Nm fido_dev_largeblob_remove ,
.Nm fido_dev_largeblob_get_array ,
.Nm fido_dev_largeblob_set_array
.Nd FIDO2 large blob API
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_largeblob_get "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "unsigned char **blob_ptr" "size_t *blob_len"
.Ft int
.Fn fido_dev_largeblob_set "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "const unsigned char *blob_ptr" "size_t blob_len" "const char *pin"
.Ft int
.Fn fido_dev_largeblob_remove "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "const char *pin"
.Ft int
.Fn fido_dev_largeblob_get_array "fido_dev_t *dev" "unsigned char **cbor_ptr" "size_t *cbor_len"
.Ft int
.Fn fido_dev_largeblob_set_array "fido_dev_t *dev" "const unsigned char *cbor_ptr" "size_t cbor_len" "const char *pin"
.Sh DESCRIPTION
The
.Dq largeBlobs
API of
.Em libfido2
allows binary blobs residing on a CTAP 2.1 authenticator to be
read, written, and inspected.
.Dq largeBlobs
is a CTAP 2.1 extension.
.Pp
.Dq largeBlobs
are stored as elements of a CBOR array.
Confidentiality is ensured by encrypting each element with a
distinct, credential-bound 256-bit AES-GCM key.
The array is otherwise shared between different credentials and
FIDO2 relying parties.
.Pp
Retrieval of a credential's encryption key is possible during
enrollment with
.Xr fido_cred_set_extensions 3
and
.Xr fido_cred_largeblob_key_ptr 3 ,
during assertion with
.Xr fido_assert_set_extensions 3
and
.Xr fido_assert_largeblob_key_ptr 3 ,
or, in the case of a resident credential, via
.Em libfido2's
credential management API.
.Pp
The
.Dq largeBlobs
CBOR array is opaque to the authenticator.
Management of the array is left at the discretion of FIDO2 clients.
For further details on CTAP 2.1's
.Dq largeBlobs
extension, please refer to the CTAP 2.1 spec.
.Pp
The
.Fn fido_dev_largeblob_get
function retrieves the authenticator's
.Dq largeBlobs
CBOR array and, on success, returns the first blob
.Pq iterating from array index zero
that can be decrypted by
.Fa key_ptr ,
where
.Fa key_ptr
points to
.Fa key_len
bytes.
On success,
.Fn fido_dev_largeblob_get
sets
.Fa blob_ptr
to the body of the decrypted blob, and
.Fa blob_len
to the length of the decrypted blob in bytes.
It is the caller's responsibility to free
.Fa blob_ptr .
.Pp
The
.Fn fido_dev_largeblob_set
function uses
.Fa key_ptr
to encrypt
.Fa blob_ptr
and inserts the result in the authenticator's
.Dq largeBlobs
CBOR array.
Insertion happens at the end of the array if no existing element
can be decrypted by
.Fa key_ptr ,
or at the position of the first element
.Pq iterating from array index zero
that can be decrypted by
.Fa key_ptr .
.Fa key_len
holds the length of
.Fa key_ptr
in bytes, and
.Fa blob_len
the length of
.Fa blob_ptr
in bytes.
A
.Fa pin
or equivalent user-verification gesture is required.
.Pp
The
.Fn fido_dev_largeblob_remove
function retrieves the authenticator's
.Dq largeBlobs
CBOR array and, on success, drops the first blob
.Pq iterating from array index zero
that can be decrypted by
.Fa key_ptr ,
where
.Fa key_ptr
points to
.Fa key_len
bytes.
A
.Fa pin
or equivalent user-verification gesture is required.
.Pp
The
.Fn fido_dev_largeblob_get_array
function retrieves the authenticator's
.Dq largeBlobs
CBOR array and, on success,
sets
.Fa cbor_ptr
to the body of the CBOR array, and
.Fa cbor_len
to its corresponding length in bytes.
It is the caller's responsibility to free
.Fa cbor_ptr .
.Pp
Finally, the
.Fn fido_dev_largeblob_set_array
function sets the authenticator's
.Dq largeBlobs
CBOR array to the data pointed to by
.Fa cbor_ptr ,
where
.Fa cbor_ptr
points to
.Fa cbor_len
bytes.
A
.Fa pin
or equivalent user-verification gesture is required.
.Sh RETURN VALUES
The functions
.Fn fido_dev_largeblob_set ,
.Fn fido_dev_largeblob_get ,
.Fn fido_dev_largeblob_remove ,
.Fn fido_dev_largeblob_get_array ,
and
.Fn fido_dev_largeblob_set_array
return
.Dv FIDO_OK
on success.
On error, an error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr fido_assert_largeblob_key_len 3 ,
.Xr fido_assert_largeblob_key_ptr 3 ,
.Xr fido_assert_set_extensions 3 ,
.Xr fido_cred_largeblob_key_len 3 ,
.Xr fido_cred_largeblob_key_ptr 3 ,
.Xr fido_cred_set_extensions 3 ,
.Xr fido_credman_get_dev_rk 3 ,
.Xr fido_credman_get_dev_rp 3 ,
.Xr fido_dev_get_assert 3 ,
.Xr fido_dev_make_cred 3
.Sh CAVEATS
The
.Dq largeBlobs
extension is not meant to be used to store sensitive data.
When retrieved, a credential's
.Dq largeBlobs
encryption key is transmitted in the clear, and an authenticator's
.Dq largeBlobs
CBOR array can be read without user interaction or verification.

100
man/fido_dev_make_cred.3 Normal file
View File

@@ -0,0 +1,100 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 23 2018 $
.Dt FIDO_DEV_MAKE_CRED 3
.Os
.Sh NAME
.Nm fido_dev_make_cred
.Nd generates a new credential on a FIDO2 device
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_make_cred "fido_dev_t *dev" "fido_cred_t *cred" "const char *pin"
.Sh DESCRIPTION
The
.Fn fido_dev_make_cred
function asks the FIDO2 device represented by
.Fa dev
to generate a new credential according to the following parameters
defined in
.Fa cred :
.Pp
.Bl -dash -compact
.It
.Nm type ;
.It
.Nm client data hash ;
.It
.Nm relying party ;
.It
.Nm user attributes ;
.It
.Nm list of excluded credential IDs ;
.It
.Nm resident/discoverable key and user verification attributes .
.El
.Pp
See
.Xr fido_cred_set_authdata 3
for information on how these values are set.
.Pp
If a PIN is not needed to authenticate the request against
.Fa dev ,
then
.Fa pin
may be NULL.
Otherwise
.Fa pin
must point to a NUL-terminated UTF-8 string.
.Pp
After a successful call to
.Fn fido_dev_make_cred ,
the
.Xr fido_cred_authdata_ptr 3 ,
.Xr fido_cred_pubkey_ptr 3 ,
.Xr fido_cred_x5c_ptr 3 ,
and
.Xr fido_cred_sig_ptr 3
functions may be invoked on
.Fa cred
to retrieve the various parts of the generated credential.
.Pp
Please note that
.Fn fido_dev_make_cred
is synchronous and will block if necessary.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_dev_make_cred
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cred_new 3 ,
.Xr fido_cred_set_authdata 3

316
man/fido_dev_open.3 Normal file
View File

@@ -0,0 +1,316 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 25 2018 $
.Dt FIDO_DEV_OPEN 3
.Os
.Sh NAME
.Nm fido_dev_open ,
.Nm fido_dev_open_with_info ,
.Nm fido_dev_close ,
.Nm fido_dev_cancel ,
.Nm fido_dev_new ,
.Nm fido_dev_new_with_info ,
.Nm fido_dev_free ,
.Nm fido_dev_force_fido2 ,
.Nm fido_dev_force_u2f ,
.Nm fido_dev_is_fido2 ,
.Nm fido_dev_is_winhello ,
.Nm fido_dev_supports_credman ,
.Nm fido_dev_supports_cred_prot ,
.Nm fido_dev_supports_permissions ,
.Nm fido_dev_supports_pin ,
.Nm fido_dev_supports_uv ,
.Nm fido_dev_has_pin ,
.Nm fido_dev_has_uv ,
.Nm fido_dev_protocol ,
.Nm fido_dev_build ,
.Nm fido_dev_flags ,
.Nm fido_dev_major ,
.Nm fido_dev_minor
.Nd FIDO2 device open/close and related functions
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_open "fido_dev_t *dev" "const char *path"
.Ft int
.Fn fido_dev_open_with_info "fido_dev_t *dev"
.Ft int
.Fn fido_dev_close "fido_dev_t *dev"
.Ft int
.Fn fido_dev_cancel "fido_dev_t *dev"
.Ft fido_dev_t *
.Fn fido_dev_new "void"
.Ft fido_dev_t *
.Fn fido_dev_new_with_info "const fido_dev_info_t *"
.Ft void
.Fn fido_dev_free "fido_dev_t **dev_p"
.Ft void
.Fn fido_dev_force_fido2 "fido_dev_t *dev"
.Ft void
.Fn fido_dev_force_u2f "fido_dev_t *dev"
.Ft bool
.Fn fido_dev_is_fido2 "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_is_winhello "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_supports_credman "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_supports_cred_prot "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_supports_permissions "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_supports_pin "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_supports_uv "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_has_pin "const fido_dev_t *dev"
.Ft bool
.Fn fido_dev_has_uv "const fido_dev_t *dev"
.Ft uint8_t
.Fn fido_dev_protocol "const fido_dev_t *dev"
.Ft uint8_t
.Fn fido_dev_build "const fido_dev_t *dev"
.Ft uint8_t
.Fn fido_dev_flags "const fido_dev_t *dev"
.Ft uint8_t
.Fn fido_dev_major "const fido_dev_t *dev"
.Ft uint8_t
.Fn fido_dev_minor "const fido_dev_t *dev"
.Sh DESCRIPTION
The
.Fn fido_dev_open
function opens the device pointed to by
.Fa path ,
where
.Fa dev
is a freshly allocated or otherwise closed
.Vt fido_dev_t .
If
.Fa dev
claims to be FIDO2,
.Em libfido2
will attempt to speak FIDO2 to
.Fa dev .
If that fails,
.Em libfido2
will fallback to U2F unless the
.Dv FIDO_DISABLE_U2F_FALLBACK
flag was set in
.Xr fido_init 3 .
.Pp
The
.Fn fido_dev_open_with_info
function opens
.Fa dev
as previously allocated using
.Fn fido_dev_new_with_info .
.Pp
The
.Fn fido_dev_close
function closes the device represented by
.Fa dev .
If
.Fa dev
is already closed,
.Fn fido_dev_close
is a NOP.
.Pp
The
.Fn fido_dev_cancel
function cancels any pending requests on
.Fa dev .
.Pp
The
.Fn fido_dev_new
function returns a pointer to a newly allocated, empty
.Vt fido_dev_t .
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_dev_new_with_info
function returns a pointer to a newly allocated
.Vt fido_dev_t
with
.Vt fido_dev_info_t
parameters, for use with
.Xr fido_dev_info_manifest 3
and
.Fn fido_dev_open_with_info .
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn fido_dev_free
function releases the memory backing
.Fa *dev_p ,
where
.Fa *dev_p
must have been previously allocated by
.Fn fido_dev_new .
On return,
.Fa *dev_p
is set to NULL.
Either
.Fa dev_p
or
.Fa *dev_p
may be NULL, in which case
.Fn fido_dev_free
is a NOP.
.Pp
The
.Fn fido_dev_force_fido2
function can be used to force CTAP2 communication with
.Fa dev ,
where
.Fa dev
is an open device.
.Pp
The
.Fn fido_dev_force_u2f
function can be used to force CTAP1 (U2F) communication with
.Fa dev ,
where
.Fa dev
is an open device.
.Pp
The
.Fn fido_dev_is_fido2
function returns
.Dv true
if
.Fa dev
is a FIDO2 device.
.Pp
The
.Fn fido_dev_is_winhello
function returns
.Dv true
if
.Fa dev
is a Windows Hello device.
.Pp
The
.Fn fido_dev_supports_credman
function returns
.Dv true
if
.Fa dev
supports CTAP 2.1 Credential Management.
.Pp
The
.Fn fido_dev_supports_cred_prot
function returns
.Dv true
if
.Fa dev
supports CTAP 2.1 Credential Protection.
.Pp
The
.Fn fido_dev_supports_permissions
function returns
.Dv true
if
.Fa dev
supports CTAP 2.1 UV token permissions.
.Pp
The
.Fn fido_dev_supports_pin
function returns
.Dv true
if
.Fa dev
supports CTAP 2.0 Client PINs.
.Pp
The
.Fn fido_dev_supports_uv
function returns
.Dv true
if
.Fa dev
supports a built-in user verification method.
.Pp
The
.Fn fido_dev_has_pin
function returns
.Dv true
if
.Fa dev
has a CTAP 2.0 Client PIN set.
.Pp
The
.Fn fido_dev_has_uv
function returns
.Dv true
if
.Fa dev
supports built-in user verification and its user verification
feature is configured.
.Pp
The
.Fn fido_dev_protocol
function returns the CTAPHID protocol version identifier of
.Fa dev .
.Pp
The
.Fn fido_dev_build
function returns the CTAPHID build version number of
.Fa dev .
.Pp
The
.Fn fido_dev_flags
function returns the CTAPHID capabilities flags of
.Fa dev .
.Pp
The
.Fn fido_dev_major
function returns the CTAPHID major version number of
.Fa dev .
.Pp
The
.Fn fido_dev_minor
function returns the CTAPHID minor version number of
.Fa dev .
.Pp
For the format and meaning of the CTAPHID parameters returned by
functions above, please refer to the FIDO Client to Authenticator
Protocol (CTAP) specification.
.Sh RETURN VALUES
On success,
.Fn fido_dev_open ,
.Fn fido_dev_open_with_info ,
and
.Fn fido_dev_close
return
.Dv FIDO_OK .
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr fido_dev_info_manifest 3 ,
.Xr fido_dev_set_io_functions 3 ,
.Xr fido_init 3

261
man/fido_dev_set_io_functions.3 Normal file
View File

@@ -0,0 +1,261 @@
.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 25 2018 $
.Dt FIDO_DEV_SET_IO_FUNCTIONS 3
.Os
.Sh NAME
.Nm fido_dev_set_io_functions ,
.Nm fido_dev_set_sigmask ,
.Nm fido_dev_set_timeout ,
.Nm fido_dev_set_transport_functions ,
.Nm fido_dev_io_handle
.Nd FIDO2 device I/O interface
.Sh SYNOPSIS
.In fido.h
.Bd -literal
typedef void *fido_dev_io_open_t(const char *);
typedef void fido_dev_io_close_t(void *);
typedef int fido_dev_io_read_t(void *, unsigned char *, size_t, int);
typedef int fido_dev_io_write_t(void *, const unsigned char *, size_t);
typedef struct fido_dev_io {
fido_dev_io_open_t *open;
fido_dev_io_close_t *close;
fido_dev_io_read_t *read;
fido_dev_io_write_t *write;
} fido_dev_io_t;
#ifdef _WIN32
typedef int fido_sigset_t;
#else
typedef sigset_t fido_sigset_t;
#endif
typedef int fido_dev_rx_t(struct fido_dev *,
uint8_t, unsigned char *, size_t, int);
typedef int fido_dev_tx_t(struct fido_dev *,
uint8_t, const unsigned char *, size_t);
typedef struct fido_dev_transport {
fido_dev_rx_t *rx;
fido_dev_tx_t *tx;
} fido_dev_transport_t;
.Ed
.Pp
.Ft int
.Fn fido_dev_set_io_functions "fido_dev_t *dev" "const fido_dev_io_t *io"
.Ft int
.Fn fido_dev_set_sigmask "fido_dev_t *dev" "const fido_sigset_t *sigmask"
.Ft int
.Fn fido_dev_set_timeout "fido_dev_t *dev" "int ms"
.Ft int
.Fn fido_dev_set_transport_functions "fido_dev_t *dev" "const fido_dev_transport_t *t"
.Ft void *
.Fn fido_dev_io_handle "const fido_dev_t *dev"
.Sh DESCRIPTION
The
.Fn fido_dev_set_io_functions
function sets the I/O handlers used by
.Em libfido2
to talk to
.Fa dev .
By default, these handlers are set to the operating system's native HID or NFC
interfaces.
They are defined as follows:
.Bl -tag -width Ds
.It Vt fido_dev_open_t
Receives a
.Vt const char *
holding a path and opens the corresponding device, returning a
non-NULL opaque pointer on success and NULL on error.
.It Vt fido_dev_close_t
Receives the opaque pointer returned by
.Vt fido_dev_open_t
and closes the device.
.It Vt fido_dev_read_t
Reads a single transmission unit (HID report, APDU) from a device.
The first parameter is the opaque pointer returned by
.Vt fido_dev_open_t .
The second parameter is the read buffer, and the third parameter
is the read buffer size.
The fourth parameter is the number of milliseconds the caller is
willing to sleep, should the call need to block.
If this value holds -1,
.Vt fido_dev_read_t
may block indefinitely.
On success, the number of bytes read is returned.
On error, -1 is returned.
.It Vt fido_dev_write_t
Writes a single transmission unit (HID report, APDU) to
.Fa dev .
The first parameter is the opaque pointer returned by
.Vt fido_dev_open_t .
The second parameter is the write buffer, and the third parameter
is the number of bytes to be written.
A
.Vt fido_dev_write_t
may block.
On success, the number of bytes written is returned.
On error, -1 is returned.
.El
.Pp
When calling
.Fn fido_dev_set_io_functions ,
the
.Fa open ,
.Fa close ,
.Fa read ,
and
.Fa write
fields of
.Fa io
may not be NULL.
.Pp
No references to
.Fa io
are held by
.Fn fido_dev_set_io_functions .
.Pp
The
.Fn fido_dev_set_sigmask
function may be used to specify a non-NULL signal mask
.Fa sigmask
to be used while
.Em libfido2's
default I/O handlers wait on
.Fa dev .
On UNIX-like operating systems,
.Vt fido_sigset_t
is defined as
.Vt sigset_t .
On Windows,
.Vt fido_sigset_t
is defined as
.Vt int
and
.Fn fido_dev_set_sigmask
is a no-op.
.Pp
No references to
.Fa sigmask
are held by
.Fn fido_dev_set_sigmask .
.Pp
The
.Fn fido_dev_set_timeout
function informs
.Em libfido2
not to block for more than
.Fa ms
milliseconds while communicating with
.Fa dev .
If a timeout occurs, the corresponding
.Em fido_dev_*
function will fail with
.Dv FIDO_ERR_RX .
If
.Fa ms
is -1,
then
.Em libfido2
may block indefinitely.
This is the default behaviour.
When using the Windows Hello backend,
.Fa ms
is used as a guidance and may be overwritten by the platform.
.Pp
The
.Fn fido_dev_set_transport_functions
function sets the transport functions used by
.Em libfido2
to talk to
.Fa dev .
While the I/O handlers are responsible for sending and receiving
transmission units of initialization and continuation packets already
formatted by
.Em libfido2 ,
the transport handlers are responsible for sending and receiving
the CTAPHID commands and data directly, as defined in the FIDO Client
to Authenticator Protocol (CTAP) standard.
They are defined as follows:
.Bl -tag -width Ds
.It Vt fido_dev_tx_t
Receives a device, a CTAPHID command to transmit, a data buffer to
transmit, and the length of the data buffer.
On success, 0 is returned.
On error, -1 is returned.
.It Vt fido_dev_rx_t
Receives a device, a CTAPHID command whose response the caller expects
to receive, a data buffer to receive into, the size of the data buffer
determining the maximum length of a response, and the maximum number of
milliseconds to wait for a response.
On success, the number of bytes read into the data buffer is returned.
On error, -1 is returned.
.El
.Pp
When transport functions are specified,
.Em libfido2
will use them instead of the
.Dv read
and
.Dv write
functions of the I/O handlers.
However, the I/O handlers must still be specified to open and close the
device.
.Pp
The
.Fn fido_dev_io_handle
function returns the opaque pointer returned by the
.Dv open
function of the I/O handlers.
This is useful mainly for the transport functions, which unlike the I/O
handlers are passed the
.Vt fido_dev_t
pointer instead of the opaque I/O handle.
.Sh RETURN VALUES
On success,
.Fn fido_dev_set_io_functions ,
.Fn fido_dev_set_transport_functions ,
.Fn fido_dev_set_sigmask ,
and
.Fn fido_dev_set_timeout
return
.Dv FIDO_OK .
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr fido_dev_info_manifest 3 ,
.Xr fido_dev_open 3
.Rs
.%D 2021-06-15
.%O Proposed Standard, Version 2.1
.%Q FIDO Alliance
.%R Client to Authenticator Protocol (CTAP)
.%U https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
.Re

128
man/fido_dev_set_pin.3 Normal file
View File

@@ -0,0 +1,128 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 25 2018 $
.Dt FIDO_DEV_SET_PIN 3
.Os
.Sh NAME
.Nm fido_dev_set_pin ,
.Nm fido_dev_get_retry_count ,
.Nm fido_dev_get_uv_retry_count ,
.Nm fido_dev_reset
.Nd FIDO2 device management functions
.Sh SYNOPSIS
.In fido.h
.Ft int
.Fn fido_dev_set_pin "fido_dev_t *dev" "const char *pin" "const char *oldpin"
.Ft int
.Fn fido_dev_get_retry_count "fido_dev_t *dev" "int *retries"
.Ft int
.Fn fido_dev_get_uv_retry_count "fido_dev_t *dev" "int *retries"
.Ft int
.Fn fido_dev_reset "fido_dev_t *dev"
.Sh DESCRIPTION
The
.Fn fido_dev_set_pin
function sets the PIN of device
.Fa dev
to
.Fa pin ,
where
.Fa pin
is a NUL-terminated UTF-8 string.
If
.Fa oldpin
is not NULL, the device's PIN is changed from
.Fa oldpin
to
.Fa pin ,
where
.Fa pin
and
.Fa oldpin
are NUL-terminated UTF-8 strings.
.Pp
The
.Fn fido_dev_get_retry_count
function fills
.Fa retries
with the number of PIN retries left in
.Fa dev
before lock-out, where
.Fa retries
is an addressable pointer.
.Pp
The
.Fn fido_dev_get_uv_retry_count
function fills
.Fa retries
with the number of built-in UV retries left in
.Fa dev
before built-in UV is disabled, where
.Fa retries
is an addressable pointer.
.Pp
The
.Fn fido_dev_reset
function performs a reset on
.Fa dev ,
resetting the device's PIN and erasing credentials stored on the
device.
.Pp
Please note that
.Fn fido_dev_set_pin ,
.Fn fido_dev_get_retry_count ,
.Fn fido_dev_get_uv_retry_count ,
and
.Fn fido_dev_reset
are synchronous and will block if necessary.
.Sh RETURN VALUES
The error codes returned by
.Fn fido_dev_set_pin ,
.Fn fido_dev_get_retry_count ,
.Fn fido_dev_get_uv_retry_count ,
and
.Fn fido_dev_reset
are defined in
.In fido/err.h .
On success,
.Dv FIDO_OK
is returned.
.Sh SEE ALSO
.Xr fido_cbor_info_uv_attempts 3
.Sh CAVEATS
Regarding
.Fn fido_dev_reset ,
the actual user-flow to perform a reset is outside the scope of the
FIDO2 specification, and may therefore vary depending on the
authenticator.
Yubico authenticators will return
.Dv FIDO_ERR_NOT_ALLOWED
if a reset is issued later than 5 seconds after power-up, and
.Dv FIDO_ERR_ACTION_TIMEOUT
if the user fails to confirm the reset by touching the key
within 30 seconds.

95
man/fido_init.3 Normal file
View File

@@ -0,0 +1,95 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 25 2018 $
.Dt FIDO_INIT 3
.Os
.Sh NAME
.Nm fido_init ,
.Nm fido_set_log_handler
.Nd initialise the FIDO2 library
.Sh SYNOPSIS
.In fido.h
.Bd -literal
typedef void fido_log_handler_t(const char *);
.Ed
.Pp
.Ft void
.Fn fido_init "int flags"
.Ft void
.Fn fido_set_log_handler "fido_log_handler_t *handler"
.Sh DESCRIPTION
The
.Fn fido_init
function initialises the
.Em libfido2
library.
Its invocation must precede that of any other
.Em libfido2
function in the context of the executing thread.
.Pp
If
.Dv FIDO_DEBUG
is set in
.Fa flags ,
then
debug output will be emitted by
.Em libfido2
on
.Em stderr .
Alternatively, the
.Ev FIDO_DEBUG
environment variable may be set.
.Pp
If
.Dv FIDO_DISABLE_U2F_FALLBACK
is set in
.Fa flags ,
then
.Em libfido2
will not fallback to U2F in
.Xr fido_dev_open 3
if a device claims to support FIDO2 but fails to respond to
a CTAP 2.0 greeting.
.Pp
The
.Fn fido_set_log_handler
function causes
.Fa handler
to be called for each log line generated in the context of the
executing thread.
Lines passed to
.Fa handler
include a trailing newline character and are not printed by
.Em libfido2
on
.Em stderr .
.Sh SEE ALSO
.Xr fido_assert_new 3 ,
.Xr fido_cred_new 3 ,
.Xr fido_dev_info_manifest 3 ,
.Xr fido_dev_open 3

50
man/fido_strerr.3 Normal file
View File

@@ -0,0 +1,50 @@
.\" Copyright (c) 2018 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: May 25 2018 $
.Dt FIDO_STRERR 3
.Os
.Sh NAME
.Nm fido_strerr
.Nd FIDO2 error codes
.Sh SYNOPSIS
.In fido.h
.Ft const char *
.Fn fido_strerr "int n"
.Sh DESCRIPTION
The
.Fn fido_strerr
function translates the error code
.Fa n
into a readable string,
where
.Fa n
is an error code defined in
.In fido/err.h .
.Fn fido_strerr
never returns NULL.
Returned pointers point to static strings.

160
man/rs256_pk_new.3 Normal file
View File

@@ -0,0 +1,160 @@
.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.Dd $Mdocdate: July 15 2022 $
.Dt RS256_PK_NEW 3
.Os
.Sh NAME
.Nm rs256_pk_new ,
.Nm rs256_pk_free ,
.Nm rs256_pk_from_RSA ,
.Nm rs256_pk_from_EVP_PKEY ,
.Nm rs256_pk_from_ptr ,
.Nm rs256_pk_to_EVP_PKEY
.Nd FIDO2 COSE RS256 API
.Sh SYNOPSIS
.In openssl/rsa.h
.In fido/rs256.h
.Ft rs256_pk_t *
.Fn rs256_pk_new "void"
.Ft void
.Fn rs256_pk_free "rs256_pk_t **pkp"
.Ft int
.Fn rs256_pk_from_EVP_PKEY "rs256_pk_t *pk" "const EVP_PKEY *pkey"
.Ft int
.Fn rs256_pk_from_RSA "rs256_pk_t *pk" "const RSA *rsa"
.Ft int
.Fn rs256_pk_from_ptr "rs256_pk_t *pk" "const void *ptr" "size_t len"
.Ft EVP_PKEY *
.Fn rs256_pk_to_EVP_PKEY "const rs256_pk_t *pk"
.Sh DESCRIPTION
RS256 is the name given in the CBOR Object Signing and Encryption
(COSE) RFC to PKCS#1.5 2048-bit RSA with SHA-256.
The COSE RS256 API of
.Em libfido2
is an auxiliary API with routines to convert between the different
RSA public key types used in
.Em libfido2
and
.Em OpenSSL .
.Pp
In
.Em libfido2 ,
RS256 public keys are abstracted by the
.Vt rs256_pk_t
type.
.Pp
The
.Fn rs256_pk_new
function returns a pointer to a newly allocated, empty
.Vt rs256_pk_t
type.
If memory cannot be allocated, NULL is returned.
.Pp
The
.Fn rs256_pk_free
function releases the memory backing
.Fa *pkp ,
where
.Fa *pkp
must have been previously allocated by
.Fn rs256_pk_new .
On return,
.Fa *pkp
is set to NULL.
Either
.Fa pkp
or
.Fa *pkp
may be NULL, in which case
.Fn rs256_pk_free
is a NOP.
.Pp
The
.Fn rs256_pk_from_EVP_PKEY
function fills
.Fa pk
with the contents of
.Fa pkey .
No references to
.Fa pkey
are kept.
.Pp
The
.Fn rs256_pk_from_RSA
function fills
.Fa pk
with the contents of
.Fa rsa .
No references to
.Fa rsa
are kept.
.Pp
The
.Fn rs256_pk_from_ptr
function fills
.Fa pk
with the contents of
.Fa ptr ,
where
.Fa ptr
points to
.Fa len
bytes.
No references to
.Fa ptr
are kept.
.Pp
The
.Fn rs256_pk_to_EVP_PKEY
function converts
.Fa pk
to a newly allocated
.Fa EVP_PKEY
type with a reference count of 1.
No internal references to the returned pointer are kept.
If an error occurs,
.Fn rs256_pk_to_EVP_PKEY
returns NULL.
.Sh RETURN VALUES
The
.Fn rs256_pk_from_EVP_PKEY ,
.Fn rs256_pk_from_RSA ,
and
.Fn rs256_pk_from_ptr
functions return
.Dv FIDO_OK
on success.
On error, a different error code defined in
.In fido/err.h
is returned.
.Sh SEE ALSO
.Xr eddsa_pk_new 3 ,
.Xr es256_pk_new 3 ,
.Xr es384_pk_new 3 ,
.Xr fido_assert_verify 3 ,
.Xr fido_cred_pubkey_ptr 3

24
man/style.css Normal file
View File

@@ -0,0 +1,24 @@
* { margin: 0; padding: 0; }
body {
font-family: monospace;
font-size: 1em;
margin: 2% auto;
max-width: 54em;
}
ul { margin-left: 1em; }
a { color: #009900; }
.Sh { font-size: 1em; padding-top: 1em; padding-bottom: 1em; }
.foot { padding-top: 1em; }
table.head, table.foot { width: 100%; }
td.head-rtitle, td.foot-os { text-align: right; }
td.head-vol { text-align: center; }
div.Pp { margin: 1ex 0ex; }
div.Nd, div.Bf, div.Op { display: inline; }
span.Pa, span.Ad { font-style: italic; }
span.Ms { font-weight: bold; }
dl.Bl-diag > dt { font-weight: bold; }
code.Nm, code.Fl, code.Cm, code.Ic, code.In, code.Fd, code.Fn,
code.Cd { font-weight: bold; font-family: inherit; }