1*2ccfa855SEd Maste.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. 20afa8e06SEd Maste.\" 3*2ccfa855SEd Maste.\" Redistribution and use in source and binary forms, with or without 4*2ccfa855SEd Maste.\" modification, are permitted provided that the following conditions are 5*2ccfa855SEd Maste.\" met: 6*2ccfa855SEd Maste.\" 7*2ccfa855SEd Maste.\" 1. Redistributions of source code must retain the above copyright 8*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer. 9*2ccfa855SEd Maste.\" 2. Redistributions in binary form must reproduce the above copyright 10*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer in 11*2ccfa855SEd Maste.\" the documentation and/or other materials provided with the 12*2ccfa855SEd Maste.\" distribution. 13*2ccfa855SEd Maste.\" 14*2ccfa855SEd Maste.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 15*2ccfa855SEd Maste.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 16*2ccfa855SEd Maste.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 17*2ccfa855SEd Maste.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 18*2ccfa855SEd Maste.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19*2ccfa855SEd Maste.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 20*2ccfa855SEd Maste.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21*2ccfa855SEd Maste.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22*2ccfa855SEd Maste.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23*2ccfa855SEd Maste.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 24*2ccfa855SEd Maste.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25*2ccfa855SEd Maste.\" 26*2ccfa855SEd Maste.\" SPDX-License-Identifier: BSD-2-Clause 27*2ccfa855SEd Maste.\" 28*2ccfa855SEd Maste.Dd $Mdocdate: April 27 2022 $ 290afa8e06SEd Maste.Dt FIDO_ASSERT_SET_AUTHDATA 3 300afa8e06SEd Maste.Os 310afa8e06SEd Maste.Sh NAME 320afa8e06SEd Maste.Nm fido_assert_set_authdata , 330afa8e06SEd Maste.Nm fido_assert_set_authdata_raw , 340afa8e06SEd Maste.Nm fido_assert_set_clientdata , 350afa8e06SEd Maste.Nm fido_assert_set_clientdata_hash , 360afa8e06SEd Maste.Nm fido_assert_set_count , 370afa8e06SEd Maste.Nm fido_assert_set_extensions , 380afa8e06SEd Maste.Nm fido_assert_set_hmac_salt , 390afa8e06SEd Maste.Nm fido_assert_set_hmac_secret , 400afa8e06SEd Maste.Nm fido_assert_set_up , 410afa8e06SEd Maste.Nm fido_assert_set_uv , 420afa8e06SEd Maste.Nm fido_assert_set_rp , 430afa8e06SEd Maste.Nm fido_assert_set_sig 440afa8e06SEd Maste.Nd set parameters of a FIDO2 assertion 450afa8e06SEd Maste.Sh SYNOPSIS 460afa8e06SEd Maste.In fido.h 470afa8e06SEd Maste.Bd -literal 480afa8e06SEd Mastetypedef enum { 490afa8e06SEd Maste FIDO_OPT_OMIT = 0, /* use authenticator's default */ 500afa8e06SEd Maste FIDO_OPT_FALSE, /* explicitly set option to false */ 510afa8e06SEd Maste FIDO_OPT_TRUE, /* explicitly set option to true */ 520afa8e06SEd Maste} fido_opt_t; 530afa8e06SEd Maste.Ed 540afa8e06SEd Maste.Ft int 550afa8e06SEd Maste.Fn fido_assert_set_authdata "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 560afa8e06SEd Maste.Ft int 570afa8e06SEd Maste.Fn fido_assert_set_authdata_raw "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 580afa8e06SEd Maste.Ft int 590afa8e06SEd Maste.Fn fido_assert_set_clientdata "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 600afa8e06SEd Maste.Ft int 610afa8e06SEd Maste.Fn fido_assert_set_clientdata_hash "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 620afa8e06SEd Maste.Ft int 630afa8e06SEd Maste.Fn fido_assert_set_count "fido_assert_t *assert" "size_t n" 640afa8e06SEd Maste.Ft int 650afa8e06SEd Maste.Fn fido_assert_set_extensions "fido_assert_t *assert" "int flags" 660afa8e06SEd Maste.Ft int 670afa8e06SEd Maste.Fn fido_assert_set_hmac_salt "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" 680afa8e06SEd Maste.Ft int 693e696dfbSEd Maste.Fn fido_assert_set_hmac_secret "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 700afa8e06SEd Maste.Ft int 710afa8e06SEd Maste.Fn fido_assert_set_up "fido_assert_t *assert" "fido_opt_t up" 720afa8e06SEd Maste.Ft int 730afa8e06SEd Maste.Fn fido_assert_set_uv "fido_assert_t *assert" "fido_opt_t uv" 740afa8e06SEd Maste.Ft int 750afa8e06SEd Maste.Fn fido_assert_set_rp "fido_assert_t *assert" "const char *id" 760afa8e06SEd Maste.Ft int 770afa8e06SEd Maste.Fn fido_assert_set_sig "fido_assert_t *assert" "size_t idx" "const unsigned char *ptr" "size_t len" 780afa8e06SEd Maste.Sh DESCRIPTION 790afa8e06SEd MasteThe 800afa8e06SEd Maste.Nm 810afa8e06SEd Masteset of functions define the various parameters of a FIDO2 820afa8e06SEd Masteassertion, allowing a 830afa8e06SEd Maste.Fa fido_assert_t 840afa8e06SEd Mastetype to be prepared for a subsequent call to 850afa8e06SEd Maste.Xr fido_dev_get_assert 3 860afa8e06SEd Masteor 870afa8e06SEd Maste.Xr fido_assert_verify 3 . 880afa8e06SEd MasteFor the complete specification of a FIDO2 assertion and the format 890afa8e06SEd Masteof its constituent parts, please refer to the Web Authentication 900afa8e06SEd Maste(webauthn) standard. 910afa8e06SEd Maste.Pp 920afa8e06SEd MasteThe 930afa8e06SEd Maste.Fn fido_assert_set_count 940afa8e06SEd Mastefunction sets the number of assertion statements in 950afa8e06SEd Maste.Fa assert 960afa8e06SEd Masteto 970afa8e06SEd Maste.Fa n . 980afa8e06SEd Maste.Pp 990afa8e06SEd MasteThe 1000afa8e06SEd Maste.Fn fido_assert_set_authdata 1010afa8e06SEd Masteand 1020afa8e06SEd Maste.Fn fido_assert_set_sig 1030afa8e06SEd Mastefunctions set the authenticator data and signature parts of the 1040afa8e06SEd Mastestatement with index 1050afa8e06SEd Maste.Fa idx 1060afa8e06SEd Masteof 1070afa8e06SEd Maste.Fa assert 1080afa8e06SEd Masteto 1090afa8e06SEd Maste.Fa ptr , 1100afa8e06SEd Mastewhere 1110afa8e06SEd Maste.Fa ptr 1120afa8e06SEd Mastepoints to 1130afa8e06SEd Maste.Fa len 1140afa8e06SEd Mastebytes. 1150afa8e06SEd MasteA copy of 1160afa8e06SEd Maste.Fa ptr 1170afa8e06SEd Masteis made, and no references to the passed pointer are kept. 1180afa8e06SEd MastePlease note that the first assertion statement of 1190afa8e06SEd Maste.Fa assert 1200afa8e06SEd Mastehas an 1210afa8e06SEd Maste.Fa idx 1220afa8e06SEd Masteof 1230afa8e06SEd Maste.Em 0 . 1240afa8e06SEd MasteThe authenticator data passed to 1250afa8e06SEd Maste.Fn fido_assert_set_authdata 1260afa8e06SEd Mastemust be a CBOR-encoded byte string, as obtained from 1270afa8e06SEd Maste.Fn fido_assert_authdata_ptr . 1280afa8e06SEd MasteAlternatively, a raw binary blob may be passed to 1290afa8e06SEd Maste.Fn fido_assert_set_authdata_raw . 1300afa8e06SEd Maste.Pp 1310afa8e06SEd MasteThe 1323e696dfbSEd Maste.Fn fido_assert_set_clientdata_hash 1333e696dfbSEd Mastefunction sets the client data hash of 1340afa8e06SEd Maste.Fa assert 1350afa8e06SEd Masteto 1360afa8e06SEd Maste.Fa ptr , 1370afa8e06SEd Mastewhere 1380afa8e06SEd Maste.Fa ptr 1390afa8e06SEd Mastepoints to 1400afa8e06SEd Maste.Fa len 1410afa8e06SEd Mastebytes. 1420afa8e06SEd MasteA copy of 1430afa8e06SEd Maste.Fa ptr 1440afa8e06SEd Masteis made, and no references to the passed pointer are kept. 1450afa8e06SEd Maste.Pp 1460afa8e06SEd MasteThe 1470afa8e06SEd Maste.Fn fido_assert_set_clientdata 1480afa8e06SEd Mastefunction allows an application to set the client data hash of 1490afa8e06SEd Maste.Fa assert 1500afa8e06SEd Masteby specifying the assertion's unhashed client data. 1510afa8e06SEd MasteThis is required by Windows Hello, which calculates the client data 1520afa8e06SEd Mastehash internally. 1530afa8e06SEd MasteFor compatibility with Windows Hello, applications should use 1540afa8e06SEd Maste.Fn fido_assert_set_clientdata 1550afa8e06SEd Masteinstead of 1560afa8e06SEd Maste.Fn fido_assert_set_clientdata_hash . 1570afa8e06SEd Maste.Pp 1580afa8e06SEd MasteThe 1590afa8e06SEd Maste.Fn fido_assert_set_rp 1600afa8e06SEd Mastefunction sets the relying party 1610afa8e06SEd Maste.Fa id 1620afa8e06SEd Masteof 1630afa8e06SEd Maste.Fa assert , 1640afa8e06SEd Mastewhere 1650afa8e06SEd Maste.Fa id 1660afa8e06SEd Masteis a NUL-terminated UTF-8 string. 1670afa8e06SEd MasteThe content of 1680afa8e06SEd Maste.Fa id 1690afa8e06SEd Masteis copied, and no references to the passed pointer are kept. 1700afa8e06SEd Maste.Pp 1710afa8e06SEd MasteThe 1720afa8e06SEd Maste.Fn fido_assert_set_extensions 1730afa8e06SEd Mastefunction sets the extensions of 1740afa8e06SEd Maste.Fa assert 1750afa8e06SEd Masteto the bitmask 1760afa8e06SEd Maste.Fa flags . 1770afa8e06SEd MasteAt the moment, only the 1780afa8e06SEd Maste.Dv FIDO_EXT_CRED_BLOB , 1790afa8e06SEd Maste.Dv FIDO_EXT_HMAC_SECRET , 1800afa8e06SEd Masteand 1810afa8e06SEd Maste.Dv FIDO_EXT_LARGEBLOB_KEY 1820afa8e06SEd Masteextensions are supported. 1830afa8e06SEd MasteIf 1840afa8e06SEd Maste.Fa flags 1850afa8e06SEd Masteis zero, the extensions of 1860afa8e06SEd Maste.Fa assert 1870afa8e06SEd Masteare cleared. 1880afa8e06SEd Maste.Pp 1890afa8e06SEd MasteThe 1903e696dfbSEd Maste.Fn fido_assert_set_hmac_salt 1913e696dfbSEd Masteand 1923e696dfbSEd Maste.Fn fido_assert_set_hmac_secret 1933e696dfbSEd Mastefunctions set the hmac-salt and hmac-secret parts of 1943e696dfbSEd Maste.Fa assert 1953e696dfbSEd Masteto 1963e696dfbSEd Maste.Fa ptr , 1973e696dfbSEd Mastewhere 1983e696dfbSEd Maste.Fa ptr 1993e696dfbSEd Mastepoints to 2003e696dfbSEd Maste.Fa len 2013e696dfbSEd Mastebytes. 2023e696dfbSEd MasteA copy of 2033e696dfbSEd Maste.Fa ptr 2043e696dfbSEd Masteis made, and no references to the passed pointer are kept. 2053e696dfbSEd MasteThe HMAC Secret 2063e696dfbSEd Maste.Pq hmac-secret 2073e696dfbSEd MasteExtension is a CTAP 2.0 extension. 208*2ccfa855SEd MasteNote that the resulting hmac-secret varies according to whether 209*2ccfa855SEd Masteuser verification was performed by the authenticator. 2103e696dfbSEd MasteThe 2113e696dfbSEd Maste.Fn fido_assert_set_hmac_secret 2123e696dfbSEd Mastefunction is normally only useful when writing tests. 2133e696dfbSEd Maste.Pp 2143e696dfbSEd MasteThe 2150afa8e06SEd Maste.Fn fido_assert_set_up 2160afa8e06SEd Masteand 2170afa8e06SEd Maste.Fn fido_assert_set_uv 2180afa8e06SEd Mastefunctions set the 2190afa8e06SEd Maste.Fa up 2200afa8e06SEd Maste(user presence) and 2210afa8e06SEd Maste.Fa uv 2220afa8e06SEd Maste(user verification) 2230afa8e06SEd Masteattributes of 2240afa8e06SEd Maste.Fa assert . 2250afa8e06SEd MasteBoth are 2260afa8e06SEd Maste.Dv FIDO_OPT_OMIT 2270afa8e06SEd Masteby default, allowing the authenticator to use its default settings. 2280afa8e06SEd Maste.Pp 2290afa8e06SEd MasteUse of the 2300afa8e06SEd Maste.Nm 2310afa8e06SEd Masteset of functions may happen in two distinct situations: 2323e696dfbSEd Mastewhen asking a FIDO2 device to produce a series of assertion 2330afa8e06SEd Mastestatements, prior to 2340afa8e06SEd Maste.Xr fido_dev_get_assert 3 2353e696dfbSEd Maste(i.e, in the context of a FIDO2 client), or when verifying assertion 2360afa8e06SEd Mastestatements using 2370afa8e06SEd Maste.Xr fido_assert_verify 3 2383e696dfbSEd Maste(i.e, in the context of a FIDO2 server). 2390afa8e06SEd Maste.Pp 2400afa8e06SEd MasteFor a complete description of the generation of a FIDO2 assertion 2410afa8e06SEd Masteand its verification, please refer to the FIDO2 specification. 2420afa8e06SEd MasteAn example of how to use the 2430afa8e06SEd Maste.Nm 2440afa8e06SEd Masteset of functions can be found in the 2450afa8e06SEd Maste.Pa examples/assert.c 2460afa8e06SEd Mastefile shipped with 2470afa8e06SEd Maste.Em libfido2 . 2480afa8e06SEd Maste.Sh RETURN VALUES 2490afa8e06SEd MasteThe 2500afa8e06SEd Maste.Nm 2510afa8e06SEd Mastefunctions return 2520afa8e06SEd Maste.Dv FIDO_OK 2530afa8e06SEd Masteon success. 2540afa8e06SEd MasteThe error codes returned by the 2550afa8e06SEd Maste.Nm 2560afa8e06SEd Masteset of functions are defined in 2570afa8e06SEd Maste.In fido/err.h . 2580afa8e06SEd Maste.Sh SEE ALSO 2590afa8e06SEd Maste.Xr fido_assert_allow_cred 3 , 2600afa8e06SEd Maste.Xr fido_assert_verify 3 , 2610afa8e06SEd Maste.Xr fido_dev_get_assert 3 262