1= Examples 2 3=== Definitions 4 5The following definitions are used in the description below: 6 7- <device> 8 9 The file system path or subsystem-specific identification string of a 10 FIDO device. 11 12- <pin>, [oldpin] 13 14 Strings passed directly in the executed command's argument vector. 15 16- <cred_id> 17 18 The file system path of a file containing a FIDO credential ID in 19 binary representation. 20 21- <pubkey> 22 23 The file system path of a file containing a public key in PEM format. 24 25- <blobkey> 26 27 A credential's associated CTAP 2.1 "largeBlob" symmetric key. 28 29=== Description 30 31The following examples are provided: 32 33- manifest 34 35 Prints a list of configured FIDO devices. 36 37- info <device> 38 39 Prints information about <device>. 40 41- reset <device> 42 43 Performs a factory reset on <device>. 44 45- setpin <pin> [oldpin] <device> 46 47 Configures <pin> as the new PIN of <device>. If [oldpin] is provided, 48 the device's PIN is changed from [oldpin] to <pin>. 49 50- cred [-t es256|es384|rs256|eddsa] [-k pubkey] [-ei cred_id] [-P pin] 51 [-T seconds] [-b blobkey] [-hruv] [-c cred_protect] <device> 52 53 Creates a new credential on <device> and verify that the credential 54 was signed by the authenticator. The device's attestation certificate 55 is not verified. If option -k is specified, the credential's public 56 key is stored in <pubkey>. If option -i is specified, the credential 57 ID is stored in <cred_id>. The -e option may be used to add <cred_id> 58 to the list of excluded credentials. If option -h is specified, 59 the hmac-secret FIDO2 extension is enabled on the generated 60 credential. If option -r is specified, the generated credential 61 will involve a resident key. User verification may be requested 62 through the -v option. If option -u is specified, the credential 63 is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. 64 The -T option may be used to enforce a timeout of <seconds>. If the 65 option -b is specified, the credential's "largeBlob" key is stored in 66 <blobkey>. If the option -c is specified the the generated credential 67 will be bound by the specified protection policy. 68 69- assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin] 70 [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device> 71 72 Asks <device> for a FIDO2 assertion corresponding to [cred_id], 73 which may be omitted for resident keys. The obtained assertion 74 is verified using <pubkey>. The -p option requests that the user 75 be present and checks whether the user presence bit was signed by the 76 authenticator. The -v option requests user verification and checks 77 whether the user verification bit was signed by the authenticator. 78 If option -u is specified, the assertion is generated using 79 U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is 80 specified, a FIDO2 hmac-secret is requested from the authenticator, 81 and the contents of <hmac_salt> are used as the salt. If option -h 82 is specified, the resulting hmac-secret is stored in <hmac_secret>. 83 The -T option may be used to enforce a timeout of <seconds>. If the 84 option -b specified, the credential's "largeBlob" key is stored in 85 <blobkey>. 86 87- retries <device> 88 Get the number of PIN attempts left on <device> before lockout. 89 90- select 91 92 Enumerates available FIDO devices and, if more than one is present, 93 simultaneously requests touch on all of them, printing information 94 about the device touched. 95 96Debugging is possible through the use of the FIDO_DEBUG environment variable. 97If set, libfido2 will produce a log of its transactions with the authenticator. 98 99Additionally, an example of a WebAuthn client using libfido2 is available at 100https://github.com/martelletto/fido2-webauthn-client. 101