12ccfa855SEd Maste.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. 20afa8e06SEd Maste.\" 32ccfa855SEd Maste.\" Redistribution and use in source and binary forms, with or without 42ccfa855SEd Maste.\" modification, are permitted provided that the following conditions are 52ccfa855SEd Maste.\" met: 62ccfa855SEd Maste.\" 72ccfa855SEd Maste.\" 1. Redistributions of source code must retain the above copyright 82ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer. 92ccfa855SEd Maste.\" 2. Redistributions in binary form must reproduce the above copyright 102ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer in 112ccfa855SEd Maste.\" the documentation and/or other materials provided with the 122ccfa855SEd Maste.\" distribution. 132ccfa855SEd Maste.\" 142ccfa855SEd Maste.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 152ccfa855SEd Maste.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 162ccfa855SEd Maste.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 172ccfa855SEd Maste.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 182ccfa855SEd Maste.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 192ccfa855SEd Maste.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 202ccfa855SEd Maste.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 212ccfa855SEd Maste.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 222ccfa855SEd Maste.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 232ccfa855SEd Maste.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 242ccfa855SEd Maste.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 252ccfa855SEd Maste.\" 262ccfa855SEd Maste.\" SPDX-License-Identifier: BSD-2-Clause 272ccfa855SEd Maste.\" 28*60a517b6SEd Maste.Dd $Mdocdate: April 8 2023 $ 290afa8e06SEd Maste.Dt FIDO_ASSERT_SET_AUTHDATA 3 300afa8e06SEd Maste.Os 310afa8e06SEd Maste.Sh NAME 320afa8e06SEd Maste.Nm fido_assert_set_authdata , 330afa8e06SEd Maste.Nm fido_assert_set_authdata_raw , 340afa8e06SEd Maste.Nm fido_assert_set_clientdata , 350afa8e06SEd Maste.Nm fido_assert_set_clientdata_hash , 360afa8e06SEd Maste.Nm fido_assert_set_count , 370afa8e06SEd Maste.Nm fido_assert_set_extensions , 380afa8e06SEd Maste.Nm fido_assert_set_hmac_salt , 390afa8e06SEd Maste.Nm fido_assert_set_hmac_secret , 400afa8e06SEd Maste.Nm fido_assert_set_up , 410afa8e06SEd Maste.Nm fido_assert_set_uv , 420afa8e06SEd Maste.Nm fido_assert_set_rp , 43*60a517b6SEd Maste.Nm fido_assert_set_sig , 44*60a517b6SEd Maste.Nm fido_assert_set_winhello_appid 450afa8e06SEd Maste.Nd set parameters of a FIDO2 assertion 460afa8e06SEd Maste.Sh SYNOPSIS 470afa8e06SEd Maste.In fido.h 480afa8e06SEd Maste.Bd -literal 490afa8e06SEd Mastetypedef enum { 500afa8e06SEd Maste FIDO_OPT_OMIT = 0, /* use authenticator's default */ 510afa8e06SEd Maste FIDO_OPT_FALSE, /* explicitly set option to false */ 520afa8e06SEd Maste FIDO_OPT_TRUE, /* explicitly set option to true */ 530afa8e06SEd Maste} fido_opt_t; 540afa8e06SEd Maste.Ed 550afa8e06SEd Maste.Ft int 560afa8e06SEd Maste.Fn fido_assert_set_authdata "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 570afa8e06SEd Maste.Ft int 580afa8e06SEd Maste.Fn fido_assert_set_authdata_raw "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 590afa8e06SEd Maste.Ft int 600afa8e06SEd Maste.Fn fido_assert_set_clientdata "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 610afa8e06SEd Maste.Ft int 620afa8e06SEd Maste.Fn fido_assert_set_clientdata_hash "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 630afa8e06SEd Maste.Ft int 640afa8e06SEd Maste.Fn fido_assert_set_count "fido_assert_t *assert" "size_t n" 650afa8e06SEd Maste.Ft int 660afa8e06SEd Maste.Fn fido_assert_set_extensions "fido_assert_t *assert" "int flags" 670afa8e06SEd Maste.Ft int 680afa8e06SEd Maste.Fn fido_assert_set_hmac_salt "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 690afa8e06SEd Maste.Ft int 703e696dfbSEd Maste.Fn fido_assert_set_hmac_secret "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 710afa8e06SEd Maste.Ft int 720afa8e06SEd Maste.Fn fido_assert_set_up "fido_assert_t *assert" "fido_opt_t up" 730afa8e06SEd Maste.Ft int 740afa8e06SEd Maste.Fn fido_assert_set_uv "fido_assert_t *assert" "fido_opt_t uv" 750afa8e06SEd Maste.Ft int 760afa8e06SEd Maste.Fn fido_assert_set_rp "fido_assert_t *assert" "const char *id" 770afa8e06SEd Maste.Ft int 780afa8e06SEd Maste.Fn fido_assert_set_sig "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 79*60a517b6SEd Maste.Ft int 80*60a517b6SEd Maste.Fn fido_assert_set_winhello_appid "fido_assert_t *assert" "const char *id" 810afa8e06SEd Maste.Sh DESCRIPTION 820afa8e06SEd MasteThe 830afa8e06SEd Maste.Nm 840afa8e06SEd Masteset of functions define the various parameters of a FIDO2 850afa8e06SEd Masteassertion, allowing a 860afa8e06SEd Maste.Fa fido_assert_t 870afa8e06SEd Mastetype to be prepared for a subsequent call to 880afa8e06SEd Maste.Xr fido_dev_get_assert 3 890afa8e06SEd Masteor 900afa8e06SEd Maste.Xr fido_assert_verify 3 . 910afa8e06SEd MasteFor the complete specification of a FIDO2 assertion and the format 920afa8e06SEd Masteof its constituent parts, please refer to the Web Authentication 930afa8e06SEd Maste(webauthn) standard. 940afa8e06SEd Maste.Pp 950afa8e06SEd MasteThe 960afa8e06SEd Maste.Fn fido_assert_set_count 970afa8e06SEd Mastefunction sets the number of assertion statements in 980afa8e06SEd Maste.Fa assert 990afa8e06SEd Masteto 1000afa8e06SEd Maste.Fa n . 1010afa8e06SEd Maste.Pp 1020afa8e06SEd MasteThe 1030afa8e06SEd Maste.Fn fido_assert_set_authdata 1040afa8e06SEd Masteand 1050afa8e06SEd Maste.Fn fido_assert_set_sig 1060afa8e06SEd Mastefunctions set the authenticator data and signature parts of the 1070afa8e06SEd Mastestatement with index 1080afa8e06SEd Maste.Fa idx 1090afa8e06SEd Masteof 1100afa8e06SEd Maste.Fa assert 1110afa8e06SEd Masteto 1120afa8e06SEd Maste.Fa ptr , 1130afa8e06SEd Mastewhere 1140afa8e06SEd Maste.Fa ptr 1150afa8e06SEd Mastepoints to 1160afa8e06SEd Maste.Fa len 1170afa8e06SEd Mastebytes. 1180afa8e06SEd MasteA copy of 1190afa8e06SEd Maste.Fa ptr 1200afa8e06SEd Masteis made, and no references to the passed pointer are kept. 1210afa8e06SEd MastePlease note that the first assertion statement of 1220afa8e06SEd Maste.Fa assert 1230afa8e06SEd Mastehas an 1240afa8e06SEd Maste.Fa idx 1250afa8e06SEd Masteof 1260afa8e06SEd Maste.Em 0 . 1270afa8e06SEd MasteThe authenticator data passed to 1280afa8e06SEd Maste.Fn fido_assert_set_authdata 1290afa8e06SEd Mastemust be a CBOR-encoded byte string, as obtained from 1300afa8e06SEd Maste.Fn fido_assert_authdata_ptr . 1310afa8e06SEd MasteAlternatively, a raw binary blob may be passed to 1320afa8e06SEd Maste.Fn fido_assert_set_authdata_raw . 1330afa8e06SEd Maste.Pp 1340afa8e06SEd MasteThe 1353e696dfbSEd Maste.Fn fido_assert_set_clientdata_hash 1363e696dfbSEd Mastefunction sets the client data hash of 1370afa8e06SEd Maste.Fa assert 1380afa8e06SEd Masteto 1390afa8e06SEd Maste.Fa ptr , 1400afa8e06SEd Mastewhere 1410afa8e06SEd Maste.Fa ptr 1420afa8e06SEd Mastepoints to 1430afa8e06SEd Maste.Fa len 1440afa8e06SEd Mastebytes. 1450afa8e06SEd MasteA copy of 1460afa8e06SEd Maste.Fa ptr 1470afa8e06SEd Masteis made, and no references to the passed pointer are kept. 1480afa8e06SEd Maste.Pp 1490afa8e06SEd MasteThe 1500afa8e06SEd Maste.Fn fido_assert_set_clientdata 1510afa8e06SEd Mastefunction allows an application to set the client data hash of 1520afa8e06SEd Maste.Fa assert 1530afa8e06SEd Masteby specifying the assertion's unhashed client data. 1540afa8e06SEd MasteThis is required by Windows Hello, which calculates the client data 1550afa8e06SEd Mastehash internally. 1560afa8e06SEd MasteFor compatibility with Windows Hello, applications should use 1570afa8e06SEd Maste.Fn fido_assert_set_clientdata 1580afa8e06SEd Masteinstead of 1590afa8e06SEd Maste.Fn fido_assert_set_clientdata_hash . 1600afa8e06SEd Maste.Pp 1610afa8e06SEd MasteThe 1620afa8e06SEd Maste.Fn fido_assert_set_rp 1630afa8e06SEd Mastefunction sets the relying party 1640afa8e06SEd Maste.Fa id 1650afa8e06SEd Masteof 1660afa8e06SEd Maste.Fa assert , 1670afa8e06SEd Mastewhere 1680afa8e06SEd Maste.Fa id 1690afa8e06SEd Masteis a NUL-terminated UTF-8 string. 1700afa8e06SEd MasteThe content of 1710afa8e06SEd Maste.Fa id 1720afa8e06SEd Masteis copied, and no references to the passed pointer are kept. 1730afa8e06SEd Maste.Pp 1740afa8e06SEd MasteThe 1750afa8e06SEd Maste.Fn fido_assert_set_extensions 1760afa8e06SEd Mastefunction sets the extensions of 1770afa8e06SEd Maste.Fa assert 1780afa8e06SEd Masteto the bitmask 1790afa8e06SEd Maste.Fa flags . 1800afa8e06SEd MasteAt the moment, only the 1810afa8e06SEd Maste.Dv FIDO_EXT_CRED_BLOB , 1820afa8e06SEd Maste.Dv FIDO_EXT_HMAC_SECRET , 1830afa8e06SEd Masteand 1840afa8e06SEd Maste.Dv FIDO_EXT_LARGEBLOB_KEY 1850afa8e06SEd Masteextensions are supported. 1860afa8e06SEd MasteIf 1870afa8e06SEd Maste.Fa flags 1880afa8e06SEd Masteis zero, the extensions of 1890afa8e06SEd Maste.Fa assert 1900afa8e06SEd Masteare cleared. 1910afa8e06SEd Maste.Pp 1920afa8e06SEd MasteThe 1933e696dfbSEd Maste.Fn fido_assert_set_hmac_salt 1943e696dfbSEd Masteand 1953e696dfbSEd Maste.Fn fido_assert_set_hmac_secret 1963e696dfbSEd Mastefunctions set the hmac-salt and hmac-secret parts of 1973e696dfbSEd Maste.Fa assert 1983e696dfbSEd Masteto 1993e696dfbSEd Maste.Fa ptr , 2003e696dfbSEd Mastewhere 2013e696dfbSEd Maste.Fa ptr 2023e696dfbSEd Mastepoints to 2033e696dfbSEd Maste.Fa len 2043e696dfbSEd Mastebytes. 2053e696dfbSEd MasteA copy of 2063e696dfbSEd Maste.Fa ptr 2073e696dfbSEd Masteis made, and no references to the passed pointer are kept. 2083e696dfbSEd MasteThe HMAC Secret 2093e696dfbSEd Maste.Pq hmac-secret 2103e696dfbSEd MasteExtension is a CTAP 2.0 extension. 2112ccfa855SEd MasteNote that the resulting hmac-secret varies according to whether 2122ccfa855SEd Masteuser verification was performed by the authenticator. 2133e696dfbSEd MasteThe 2143e696dfbSEd Maste.Fn fido_assert_set_hmac_secret 2153e696dfbSEd Mastefunction is normally only useful when writing tests. 2163e696dfbSEd Maste.Pp 2173e696dfbSEd MasteThe 2180afa8e06SEd Maste.Fn fido_assert_set_up 2190afa8e06SEd Masteand 2200afa8e06SEd Maste.Fn fido_assert_set_uv 2210afa8e06SEd Mastefunctions set the 2220afa8e06SEd Maste.Fa up 2230afa8e06SEd Maste(user presence) and 2240afa8e06SEd Maste.Fa uv 2250afa8e06SEd Maste(user verification) 2260afa8e06SEd Masteattributes of 2270afa8e06SEd Maste.Fa assert . 2280afa8e06SEd MasteBoth are 2290afa8e06SEd Maste.Dv FIDO_OPT_OMIT 2300afa8e06SEd Masteby default, allowing the authenticator to use its default settings. 2310afa8e06SEd Maste.Pp 232*60a517b6SEd MasteThe 233*60a517b6SEd Maste.Fn fido_assert_set_winhello_appid 234*60a517b6SEd Mastefunction sets the U2F application 235*60a517b6SEd Maste.Fa id 236*60a517b6SEd Maste.Pq Dq U2F AppID 237*60a517b6SEd Masteof 238*60a517b6SEd Maste.Fa assert , 239*60a517b6SEd Mastewhere 240*60a517b6SEd Maste.Fa id 241*60a517b6SEd Masteis a NUL-terminated UTF-8 string. 242*60a517b6SEd MasteThe content of 243*60a517b6SEd Maste.Fa id 244*60a517b6SEd Masteis copied, and no references to the passed pointer are kept. 245*60a517b6SEd MasteThe 246*60a517b6SEd Maste.Fn fido_assert_set_winhello_appid 247*60a517b6SEd Mastefunction is a no-op unless 248*60a517b6SEd Maste.Fa assert 249*60a517b6SEd Masteis passed to 250*60a517b6SEd Maste.Xr fido_dev_get_assert 3 251*60a517b6SEd Mastewith a device 252*60a517b6SEd Maste.Fa dev 253*60a517b6SEd Masteon which 254*60a517b6SEd Maste.Xr fido_dev_is_winhello 3 255*60a517b6SEd Masteholds true. 256*60a517b6SEd MasteIn this case, 257*60a517b6SEd Maste.Em libfido2 258*60a517b6SEd Mastewill instruct Windows Hello to try the assertion twice, 259*60a517b6SEd Mastefirst with the 260*60a517b6SEd Maste.Fa id 261*60a517b6SEd Mastepassed to 262*60a517b6SEd Maste.Fn fido_assert_set_rp , 263*60a517b6SEd Masteand a second time with the 264*60a517b6SEd Maste.Fa id 265*60a517b6SEd Mastepassed to 266*60a517b6SEd Maste.Fn fido_assert_set_winhello_appid . 267*60a517b6SEd MasteIf the second assertion succeeds, 268*60a517b6SEd Maste.Xr fido_assert_rp_id 3 269*60a517b6SEd Mastewill point to the U2F AppID once 270*60a517b6SEd Maste.Xr fido_dev_get_assert 3 271*60a517b6SEd Mastecompletes. 272*60a517b6SEd MasteThis mechanism exists in Windows Hello to ensure U2F backwards 273*60a517b6SEd Mastecompatibility without the application inadvertently prompting the 274*60a517b6SEd Masteuser twice. 275*60a517b6SEd MasteNote that 276*60a517b6SEd Maste.Fn fido_assert_set_winhello_appid 277*60a517b6SEd Masteis not needed on platforms offering CTAP primitives, since the 278*60a517b6SEd Masteauthenticator can be silently probed for the existence of U2F 279*60a517b6SEd Mastecredentials. 280*60a517b6SEd Maste.Pp 2810afa8e06SEd MasteUse of the 2820afa8e06SEd Maste.Nm 2830afa8e06SEd Masteset of functions may happen in two distinct situations: 2843e696dfbSEd Mastewhen asking a FIDO2 device to produce a series of assertion 2850afa8e06SEd Mastestatements, prior to 2860afa8e06SEd Maste.Xr fido_dev_get_assert 3 2873e696dfbSEd Maste(i.e, in the context of a FIDO2 client), or when verifying assertion 2880afa8e06SEd Mastestatements using 2890afa8e06SEd Maste.Xr fido_assert_verify 3 2903e696dfbSEd Maste(i.e, in the context of a FIDO2 server). 2910afa8e06SEd Maste.Pp 2920afa8e06SEd MasteFor a complete description of the generation of a FIDO2 assertion 2930afa8e06SEd Masteand its verification, please refer to the FIDO2 specification. 2940afa8e06SEd MasteAn example of how to use the 2950afa8e06SEd Maste.Nm 2960afa8e06SEd Masteset of functions can be found in the 2970afa8e06SEd Maste.Pa examples/assert.c 2980afa8e06SEd Mastefile shipped with 2990afa8e06SEd Maste.Em libfido2 . 3000afa8e06SEd Maste.Sh RETURN VALUES 3010afa8e06SEd MasteThe 3020afa8e06SEd Maste.Nm 3030afa8e06SEd Mastefunctions return 3040afa8e06SEd Maste.Dv FIDO_OK 3050afa8e06SEd Masteon success. 3060afa8e06SEd MasteThe error codes returned by the 3070afa8e06SEd Maste.Nm 3080afa8e06SEd Masteset of functions are defined in 3090afa8e06SEd Maste.In fido/err.h . 3100afa8e06SEd Maste.Sh SEE ALSO 3110afa8e06SEd Maste.Xr fido_assert_allow_cred 3 , 3120afa8e06SEd Maste.Xr fido_assert_verify 3 , 313*60a517b6SEd Maste.Xr fido_dev_get_assert 3 , 314*60a517b6SEd Maste.Xr fido_dev_is_winhello 3 315