1f540a430SEd Maste.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2*2ccfa855SEd Maste.\" 3*2ccfa855SEd Maste.\" Redistribution and use in source and binary forms, with or without 4*2ccfa855SEd Maste.\" modification, are permitted provided that the following conditions are 5*2ccfa855SEd Maste.\" met: 6*2ccfa855SEd Maste.\" 7*2ccfa855SEd Maste.\" 1. Redistributions of source code must retain the above copyright 8*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer. 9*2ccfa855SEd Maste.\" 2. Redistributions in binary form must reproduce the above copyright 10*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer in 11*2ccfa855SEd Maste.\" the documentation and/or other materials provided with the 12*2ccfa855SEd Maste.\" distribution. 13*2ccfa855SEd Maste.\" 14*2ccfa855SEd Maste.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 15*2ccfa855SEd Maste.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 16*2ccfa855SEd Maste.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 17*2ccfa855SEd Maste.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 18*2ccfa855SEd Maste.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19*2ccfa855SEd Maste.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 20*2ccfa855SEd Maste.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21*2ccfa855SEd Maste.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22*2ccfa855SEd Maste.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23*2ccfa855SEd Maste.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 24*2ccfa855SEd Maste.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25*2ccfa855SEd Maste.\" 26*2ccfa855SEd Maste.\" SPDX-License-Identifier: BSD-2-Clause 270afa8e06SEd Maste.\" 280afa8e06SEd Maste.Dd $Mdocdate: May 23 2018 $ 290afa8e06SEd Maste.Dt FIDO_CRED_NEW 3 300afa8e06SEd Maste.Os 310afa8e06SEd Maste.Sh NAME 320afa8e06SEd Maste.Nm fido_cred_new , 330afa8e06SEd Maste.Nm fido_cred_free , 34f540a430SEd Maste.Nm fido_cred_pin_minlen , 350afa8e06SEd Maste.Nm fido_cred_prot , 360afa8e06SEd Maste.Nm fido_cred_fmt , 370afa8e06SEd Maste.Nm fido_cred_rp_id , 380afa8e06SEd Maste.Nm fido_cred_rp_name , 390afa8e06SEd Maste.Nm fido_cred_user_name , 400afa8e06SEd Maste.Nm fido_cred_display_name , 410afa8e06SEd Maste.Nm fido_cred_authdata_ptr , 420afa8e06SEd Maste.Nm fido_cred_authdata_raw_ptr , 430afa8e06SEd Maste.Nm fido_cred_clientdata_hash_ptr , 440afa8e06SEd Maste.Nm fido_cred_id_ptr , 450afa8e06SEd Maste.Nm fido_cred_aaguid_ptr , 460afa8e06SEd Maste.Nm fido_cred_largeblob_key_ptr , 470afa8e06SEd Maste.Nm fido_cred_pubkey_ptr , 480afa8e06SEd Maste.Nm fido_cred_sig_ptr , 490afa8e06SEd Maste.Nm fido_cred_user_id_ptr , 500afa8e06SEd Maste.Nm fido_cred_x5c_ptr , 51f540a430SEd Maste.Nm fido_cred_attstmt_ptr , 520afa8e06SEd Maste.Nm fido_cred_authdata_len , 530afa8e06SEd Maste.Nm fido_cred_authdata_raw_len , 540afa8e06SEd Maste.Nm fido_cred_clientdata_hash_len , 550afa8e06SEd Maste.Nm fido_cred_id_len , 560afa8e06SEd Maste.Nm fido_cred_aaguid_len , 570afa8e06SEd Maste.Nm fido_cred_largeblob_key_len , 580afa8e06SEd Maste.Nm fido_cred_pubkey_len , 590afa8e06SEd Maste.Nm fido_cred_sig_len , 600afa8e06SEd Maste.Nm fido_cred_user_id_len , 610afa8e06SEd Maste.Nm fido_cred_x5c_len , 62f540a430SEd Maste.Nm fido_cred_attstmt_len , 630afa8e06SEd Maste.Nm fido_cred_type , 640afa8e06SEd Maste.Nm fido_cred_flags , 650afa8e06SEd Maste.Nm fido_cred_sigcount 660afa8e06SEd Maste.Nd FIDO2 credential API 670afa8e06SEd Maste.Sh SYNOPSIS 680afa8e06SEd Maste.In fido.h 690afa8e06SEd Maste.Ft fido_cred_t * 700afa8e06SEd Maste.Fn fido_cred_new "void" 710afa8e06SEd Maste.Ft void 720afa8e06SEd Maste.Fn fido_cred_free "fido_cred_t **cred_p" 73f540a430SEd Maste.Ft size_t 74f540a430SEd Maste.Fn fido_cred_pin_minlen "const fido_cred_t *cred" 750afa8e06SEd Maste.Ft int 76f540a430SEd Maste.Fn fido_cred_prot "const fido_cred_t *cred" 770afa8e06SEd Maste.Ft const char * 780afa8e06SEd Maste.Fn fido_cred_fmt "const fido_cred_t *cred" 790afa8e06SEd Maste.Ft const char * 800afa8e06SEd Maste.Fn fido_cred_rp_id "const fido_cred_t *cred" 810afa8e06SEd Maste.Ft const char * 820afa8e06SEd Maste.Fn fido_cred_rp_name "const fido_cred_t *cred" 830afa8e06SEd Maste.Ft const char * 840afa8e06SEd Maste.Fn fido_cred_user_name "const fido_cred_t *cred" 850afa8e06SEd Maste.Ft const char * 860afa8e06SEd Maste.Fn fido_cred_display_name "const fido_cred_t *cred" 870afa8e06SEd Maste.Ft const unsigned char * 880afa8e06SEd Maste.Fn fido_cred_authdata_ptr "const fido_cred_t *cred" 890afa8e06SEd Maste.Ft const unsigned char * 900afa8e06SEd Maste.Fn fido_cred_authdata_raw_ptr "const fido_cred_t *cred" 910afa8e06SEd Maste.Ft const unsigned char * 920afa8e06SEd Maste.Fn fido_cred_clientdata_hash_ptr "const fido_cred_t *cred" 930afa8e06SEd Maste.Ft const unsigned char * 940afa8e06SEd Maste.Fn fido_cred_id_ptr "const fido_cred_t *cred" 950afa8e06SEd Maste.Ft const unsigned char * 960afa8e06SEd Maste.Fn fido_cred_aaguid_ptr "const fido_cred_t *cred" 970afa8e06SEd Maste.Ft const unsigned char * 980afa8e06SEd Maste.Fn fido_cred_largeblob_key_ptr "const fido_cred_t *cred" 990afa8e06SEd Maste.Ft const unsigned char * 1000afa8e06SEd Maste.Fn fido_cred_pubkey_ptr "const fido_cred_t *cred" 1010afa8e06SEd Maste.Ft const unsigned char * 1020afa8e06SEd Maste.Fn fido_cred_sig_ptr "const fido_cred_t *cred" 1030afa8e06SEd Maste.Ft const unsigned char * 1040afa8e06SEd Maste.Fn fido_cred_user_id_ptr "const fido_cred_t *cred" 1050afa8e06SEd Maste.Ft const unsigned char * 1060afa8e06SEd Maste.Fn fido_cred_x5c_ptr "const fido_cred_t *cred" 107f540a430SEd Maste.Ft const unsigned char * 108f540a430SEd Maste.Fn fido_cred_attstmt_ptr "const fido_cred_t *cred" 1090afa8e06SEd Maste.Ft size_t 1100afa8e06SEd Maste.Fn fido_cred_authdata_len "const fido_cred_t *cred" 1110afa8e06SEd Maste.Ft size_t 1120afa8e06SEd Maste.Fn fido_cred_authdata_raw_len "const fido_cred_t *cred" 1130afa8e06SEd Maste.Ft size_t 1140afa8e06SEd Maste.Fn fido_cred_clientdata_hash_len "const fido_cred_t *cred" 1150afa8e06SEd Maste.Ft size_t 1160afa8e06SEd Maste.Fn fido_cred_id_len "const fido_cred_t *cred" 1170afa8e06SEd Maste.Ft size_t 1180afa8e06SEd Maste.Fn fido_cred_aaguid_len "const fido_cred_t *cred" 1190afa8e06SEd Maste.Ft size_t 1200afa8e06SEd Maste.Fn fido_cred_largeblob_key_len "const fido_cred_t *cred" 1210afa8e06SEd Maste.Ft size_t 1220afa8e06SEd Maste.Fn fido_cred_pubkey_len "const fido_cred_t *cred" 1230afa8e06SEd Maste.Ft size_t 1240afa8e06SEd Maste.Fn fido_cred_sig_len "const fido_cred_t *cred" 1250afa8e06SEd Maste.Ft size_t 1260afa8e06SEd Maste.Fn fido_cred_user_id_len "const fido_cred_t *cred" 1270afa8e06SEd Maste.Ft size_t 1280afa8e06SEd Maste.Fn fido_cred_x5c_len "const fido_cred_t *cred" 129f540a430SEd Maste.Ft size_t 130f540a430SEd Maste.Fn fido_cred_attstmt_len "const fido_cred_t *cred" 1310afa8e06SEd Maste.Ft int 1320afa8e06SEd Maste.Fn fido_cred_type "const fido_cred_t *cred" 1330afa8e06SEd Maste.Ft uint8_t 1340afa8e06SEd Maste.Fn fido_cred_flags "const fido_cred_t *cred" 1350afa8e06SEd Maste.Ft uint32_t 1360afa8e06SEd Maste.Fn fido_cred_sigcount "const fido_cred_t *cred" 1370afa8e06SEd Maste.Sh DESCRIPTION 1380afa8e06SEd MasteFIDO2 credentials are abstracted in 1390afa8e06SEd Maste.Em libfido2 1400afa8e06SEd Masteby the 1410afa8e06SEd Maste.Vt fido_cred_t 1420afa8e06SEd Mastetype. 1430afa8e06SEd MasteThe functions described in this page allow a 1440afa8e06SEd Maste.Vt fido_cred_t 1450afa8e06SEd Mastetype to be allocated, deallocated, and inspected. 1460afa8e06SEd MasteFor other operations on 1470afa8e06SEd Maste.Vt fido_cred_t , 1480afa8e06SEd Masteplease refer to 1490afa8e06SEd Maste.Xr fido_cred_set_authdata 3 , 1500afa8e06SEd Maste.Xr fido_cred_exclude 3 , 1510afa8e06SEd Maste.Xr fido_cred_verify 3 , 1520afa8e06SEd Masteand 1530afa8e06SEd Maste.Xr fido_dev_make_cred 3 . 1540afa8e06SEd Maste.Pp 1550afa8e06SEd MasteThe 1560afa8e06SEd Maste.Fn fido_cred_new 1570afa8e06SEd Mastefunction returns a pointer to a newly allocated, empty 1580afa8e06SEd Maste.Vt fido_cred_t 1590afa8e06SEd Mastetype. 1600afa8e06SEd MasteIf memory cannot be allocated, NULL is returned. 1610afa8e06SEd Maste.Pp 1620afa8e06SEd MasteThe 1630afa8e06SEd Maste.Fn fido_cred_free 1640afa8e06SEd Mastefunction releases the memory backing 1650afa8e06SEd Maste.Fa *cred_p , 1660afa8e06SEd Mastewhere 1670afa8e06SEd Maste.Fa *cred_p 1680afa8e06SEd Mastemust have been previously allocated by 1690afa8e06SEd Maste.Fn fido_cred_new . 1700afa8e06SEd MasteOn return, 1710afa8e06SEd Maste.Fa *cred_p 1720afa8e06SEd Masteis set to NULL. 1730afa8e06SEd MasteEither 1740afa8e06SEd Maste.Fa cred_p 1750afa8e06SEd Masteor 1760afa8e06SEd Maste.Fa *cred_p 1770afa8e06SEd Mastemay be NULL, in which case 1780afa8e06SEd Maste.Fn fido_cred_free 1790afa8e06SEd Masteis a NOP. 1800afa8e06SEd Maste.Pp 1813e696dfbSEd MasteIf the CTAP 2.1 182f540a430SEd Maste.Dv FIDO_EXT_MINPINLEN 183f540a430SEd Masteextension is enabled on 184f540a430SEd Maste.Fa cred , 185f540a430SEd Mastethen the 186f540a430SEd Maste.Fn fido_cred_pin_minlen 187f540a430SEd Mastefunction returns the minimum PIN length of 188f540a430SEd Maste.Fa cred . 189f540a430SEd MasteOtherwise, 190f540a430SEd Maste.Fn fido_cred_pin_minlen 191f540a430SEd Mastereturns zero. 192f540a430SEd MasteSee 193f540a430SEd Maste.Xr fido_cred_set_pin_minlen 3 194f540a430SEd Masteon how to enable this extension. 195f540a430SEd Maste.Pp 1963e696dfbSEd MasteIf the CTAP 2.1 197f540a430SEd Maste.Dv FIDO_EXT_CRED_PROTECT 198f540a430SEd Masteextension is enabled on 199f540a430SEd Maste.Fa cred , 200f540a430SEd Mastethen the 2010afa8e06SEd Maste.Fn fido_cred_prot 2020afa8e06SEd Mastefunction returns the protection of 2030afa8e06SEd Maste.Fa cred . 204f540a430SEd MasteOtherwise, 205f540a430SEd Maste.Fn fido_cred_prot 206f540a430SEd Mastereturns zero. 2070afa8e06SEd MasteSee 2080afa8e06SEd Maste.Xr fido_cred_set_prot 3 209f540a430SEd Mastefor the protection policies understood by 2100afa8e06SEd Maste.Em libfido2 . 2110afa8e06SEd Maste.Pp 2120afa8e06SEd MasteThe 2130afa8e06SEd Maste.Fn fido_cred_fmt 2140afa8e06SEd Mastefunction returns a pointer to a NUL-terminated string containing 215*2ccfa855SEd Mastethe attestation statement format identifier of 2160afa8e06SEd Maste.Fa cred , 2170afa8e06SEd Masteor NULL if 2180afa8e06SEd Maste.Fa cred 2190afa8e06SEd Mastedoes not have a format set. 2200afa8e06SEd Maste.Pp 2210afa8e06SEd MasteThe 2220afa8e06SEd Maste.Fn fido_cred_rp_id , 2230afa8e06SEd Maste.Fn fido_cred_rp_name , 2240afa8e06SEd Maste.Fn fido_cred_user_name , 2250afa8e06SEd Masteand 2260afa8e06SEd Maste.Fn fido_cred_display_name 2270afa8e06SEd Mastefunctions return pointers to NUL-terminated strings holding the 2280afa8e06SEd Masterelying party ID, relying party name, user name, and user display 2290afa8e06SEd Mastename attributes of 2300afa8e06SEd Maste.Fa cred , 2310afa8e06SEd Masteor NULL if the respective entry is not set. 2320afa8e06SEd Maste.Pp 2330afa8e06SEd MasteThe 2340afa8e06SEd Maste.Fn fido_cred_authdata_ptr , 2350afa8e06SEd Maste.Fn fido_cred_authdata_raw_ptr , 2360afa8e06SEd Maste.Fn fido_cred_clientdata_hash_ptr , 2370afa8e06SEd Maste.Fn fido_cred_id_ptr , 2380afa8e06SEd Maste.Fn fido_cred_aaguid_ptr , 2390afa8e06SEd Maste.Fn fido_cred_largeblob_key_ptr , 2400afa8e06SEd Maste.Fn fido_cred_pubkey_ptr , 2410afa8e06SEd Maste.Fn fido_cred_sig_ptr , 2420afa8e06SEd Maste.Fn fido_cred_user_id_ptr , 243f540a430SEd Maste.Fn fido_cred_x5c_ptr , 2440afa8e06SEd Masteand 245f540a430SEd Maste.Fn fido_cred_attstmt_ptr 2460afa8e06SEd Mastefunctions return pointers to the CBOR-encoded and raw authenticator 2470afa8e06SEd Mastedata, client data hash, ID, authenticator attestation GUID, 2480afa8e06SEd Maste.Dq largeBlobKey , 249f540a430SEd Mastepublic key, signature, user ID, x509 certificate, and attestation 250f540a430SEd Mastestatement parts of 2510afa8e06SEd Maste.Fa cred , 2520afa8e06SEd Masteor NULL if the respective entry is not set. 2530afa8e06SEd Maste.Pp 2540afa8e06SEd MasteThe corresponding length can be obtained by 2550afa8e06SEd Maste.Fn fido_cred_authdata_len , 2560afa8e06SEd Maste.Fn fido_cred_authdata_raw_len , 2570afa8e06SEd Maste.Fn fido_cred_clientdata_hash_len , 2580afa8e06SEd Maste.Fn fido_cred_id_len , 2590afa8e06SEd Maste.Fn fido_cred_aaguid_len , 2600afa8e06SEd Maste.Fn fido_cred_largeblob_key_len , 2610afa8e06SEd Maste.Fn fido_cred_pubkey_len , 2620afa8e06SEd Maste.Fn fido_cred_sig_len , 2630afa8e06SEd Maste.Fn fido_cred_user_id_len , 264f540a430SEd Maste.Fn fido_cred_x5c_len , 2650afa8e06SEd Masteand 266f540a430SEd Maste.Fn fido_cred_attstmt_len . 2670afa8e06SEd Maste.Pp 2680afa8e06SEd MasteThe authenticator data, x509 certificate, and signature parts of a 2690afa8e06SEd Mastecredential are typically passed to a FIDO2 server for verification. 2700afa8e06SEd Maste.Pp 2710afa8e06SEd MasteThe 2720afa8e06SEd Maste.Fn fido_cred_type 2730afa8e06SEd Mastefunction returns the COSE algorithm of 2740afa8e06SEd Maste.Fa cred . 2750afa8e06SEd Maste.Pp 2760afa8e06SEd MasteThe 2770afa8e06SEd Maste.Fn fido_cred_flags 2780afa8e06SEd Mastefunction returns the authenticator data flags of 2790afa8e06SEd Maste.Fa cred . 2800afa8e06SEd Maste.Pp 2810afa8e06SEd MasteThe 2820afa8e06SEd Maste.Fn fido_cred_sigcount 2830afa8e06SEd Mastefunction returns the authenticator data signature counter of 2840afa8e06SEd Maste.Fa cred . 2850afa8e06SEd Maste.Sh RETURN VALUES 2860afa8e06SEd MasteThe authenticator data returned by 2870afa8e06SEd Maste.Fn fido_cred_authdata_ptr 2880afa8e06SEd Masteis a CBOR-encoded byte string, as obtained from the authenticator. 2890afa8e06SEd MasteTo obtain the decoded byte string, use 2900afa8e06SEd Maste.Fn fido_cred_authdata_raw_ptr . 2910afa8e06SEd Maste.Pp 2920afa8e06SEd MasteIf not NULL, pointers returned by 2930afa8e06SEd Maste.Fn fido_cred_fmt , 2940afa8e06SEd Maste.Fn fido_cred_authdata_ptr , 2950afa8e06SEd Maste.Fn fido_cred_clientdata_hash_ptr , 2960afa8e06SEd Maste.Fn fido_cred_id_ptr , 2970afa8e06SEd Maste.Fn fido_cred_aaguid_ptr , 2980afa8e06SEd Maste.Fn fido_cred_largeblob_key_ptr , 2990afa8e06SEd Maste.Fn fido_cred_pubkey_ptr , 3000afa8e06SEd Maste.Fn fido_cred_sig_ptr , 3010afa8e06SEd Masteand 3020afa8e06SEd Maste.Fn fido_cred_x5c_ptr 3030afa8e06SEd Masteare guaranteed to exist until any API function that takes 3040afa8e06SEd Maste.Fa cred 3050afa8e06SEd Mastewithout the 3060afa8e06SEd Maste.Em const 3070afa8e06SEd Mastequalifier is invoked. 3080afa8e06SEd Maste.Sh SEE ALSO 3090afa8e06SEd Maste.Xr fido_cred_exclude 3 , 3100afa8e06SEd Maste.Xr fido_cred_set_authdata 3 , 311f540a430SEd Maste.Xr fido_cred_set_pin_minlen 3 , 312f540a430SEd Maste.Xr fido_cred_set_prot 3 , 3130afa8e06SEd Maste.Xr fido_cred_verify 3 , 3140afa8e06SEd Maste.Xr fido_credman_metadata_new 3 , 3150afa8e06SEd Maste.Xr fido_dev_largeblob_get 3 , 3160afa8e06SEd Maste.Xr fido_dev_make_cred 3 317