xref: /freebsd/contrib/libfido2/examples/README.adoc (revision 43a5ec4eb41567cc92586503212743d89686d78f)
1= Examples
2
3=== Definitions
4
5The following definitions are used in the description below:
6
7- <device>
8
9	The file system path or subsystem-specific identification string of a
10	FIDO device.
11
12- <pin>, [oldpin]
13
14	Strings passed directly in the executed command's argument vector.
15
16- <cred_id>
17
18	The file system path of a file containing a FIDO credential ID in
19	binary representation.
20
21- <pubkey>
22
23	The file system path of a file containing a NIST P-256 public key in
24	PEM format.
25
26- <blobkey>
27
28	A credential's associated FIDO 2.1 "largeBlob" symmetric key.
29
30=== Description
31
32The following examples are provided:
33
34- manifest
35
36	Prints a list of configured FIDO devices.
37
38- info <device>
39
40	Prints information about <device>.
41
42- reset <device>
43
44	Performs a factory reset on <device>.
45
46- setpin <pin> [oldpin] <device>
47
48	Configures <pin> as the new PIN of <device>. If [oldpin] is provided,
49	the device's PIN is changed from [oldpin] to <pin>.
50
51- cred [-t ecdsa|rsa|eddsa] [-k pubkey] [-ei cred_id] [-P pin] [-T seconds]
52       [-b blobkey] [-hruv] <device>
53
54	Creates a new credential on <device> and verify that the credential
55	was signed by the authenticator. The device's attestation certificate
56	is not verified. If option -k is specified, the credential's public
57	key is stored in <pubkey>. If option -i is specified, the credential
58	ID is stored in <cred_id>. The -e option may be used to add <cred_id>
59	to the list of excluded credentials. If option -h is specified,
60	the hmac-secret FIDO2 extension is enabled on the generated
61	credential. If option -r is specified, the generated credential
62	will involve a resident key. User verification may be requested
63	through the -v option. If option -u is specified, the credential
64	is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands.
65	The -T option may be used to enforce a timeout of <seconds>. If the
66	option -b is specified, the credential's "largeBlob" key is stored in
67	<blobkey>.
68
69- assert [-t ecdsa|rsa|eddsa] [-a cred_id] [-h hmac_secret] [-s hmac_salt]
70	 [-P pin] [-T seconds] [-b blobkey] [-puv] <pubkey> <device>
71
72	Asks <device> for a FIDO2 assertion corresponding to [cred_id],
73	which may be omitted for resident keys. The obtained assertion
74	is verified using <pubkey>. The -p option requests that the user
75	be present.  User verification may be requested through the -v
76	option. If option -u is specified, the assertion is generated using
77	U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is
78	specified, a FIDO2 hmac-secret is requested from the authenticator,
79	and the contents of <hmac_salt> are used as the salt. If option -h
80	is specified, the resulting hmac-secret is stored in <hmac_secret>.
81	The -T option may be used to enforce a timeout of <seconds>. If the
82	option -b specified, the credential's "largeBlob" key is stored in
83	<blobkey>.
84
85- retries <device>
86	Get the number of PIN attempts left on <device> before lockout.
87
88- select
89
90	Enumerates available FIDO devices and, if more than one is present,
91	simultaneously requests touch on all of them, printing information
92	about the device touched.
93
94Debugging is possible through the use of the FIDO_DEBUG environment variable.
95If set, libfido2 will produce a log of its transactions with the authenticator.
96
97Additionally, an example of a WebAuthn client using libfido2 is available at
98https://github.com/martelletto/fido2-webauthn-client.
99