1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: May 23 2018 $ 6.Dt FIDO_CRED_SET_AUTHDATA 3 7.Os 8.Sh NAME 9.Nm fido_cred_set_authdata , 10.Nm fido_cred_set_authdata_raw , 11.Nm fido_cred_set_attstmt , 12.Nm fido_cred_set_x509 , 13.Nm fido_cred_set_sig , 14.Nm fido_cred_set_id , 15.Nm fido_cred_set_clientdata , 16.Nm fido_cred_set_clientdata_hash , 17.Nm fido_cred_set_rp , 18.Nm fido_cred_set_user , 19.Nm fido_cred_set_extensions , 20.Nm fido_cred_set_blob , 21.Nm fido_cred_set_pin_minlen , 22.Nm fido_cred_set_prot , 23.Nm fido_cred_set_rk , 24.Nm fido_cred_set_uv , 25.Nm fido_cred_set_fmt , 26.Nm fido_cred_set_type 27.Nd set parameters of a FIDO2 credential 28.Sh SYNOPSIS 29.In fido.h 30.Bd -literal 31typedef enum { 32 FIDO_OPT_OMIT = 0, /* use authenticator's default */ 33 FIDO_OPT_FALSE, /* explicitly set option to false */ 34 FIDO_OPT_TRUE, /* explicitly set option to true */ 35} fido_opt_t; 36.Ed 37.Ft int 38.Fn fido_cred_set_authdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 39.Ft int 40.Fn fido_cred_set_authdata_raw "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 41.Ft int 42.Fn fido_cred_set_attstmt "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 43.Ft int 44.Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 45.Ft int 46.Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 47.Ft int 48.Fn fido_cred_set_id "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 49.Ft int 50.Fn fido_cred_set_clientdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 51.Ft int 52.Fn fido_cred_set_clientdata_hash "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 53.Ft int 54.Fn fido_cred_set_rp "fido_cred_t *cred" "const char *id" "const char *name" 55.Ft int 56.Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon" 57.Ft int 58.Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags" 59.Ft int 60.Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" 61.Ft int 62.Fn fido_cred_set_pin_minlen "fido_cred_t *cred" "size_t len" 63.Ft int 64.Fn fido_cred_set_prot "fido_cred_t *cred" "int prot" 65.Ft int 66.Fn fido_cred_set_rk "fido_cred_t *cred" "fido_opt_t rk" 67.Ft int 68.Fn fido_cred_set_uv "fido_cred_t *cred" "fido_opt_t uv" 69.Ft int 70.Fn fido_cred_set_fmt "fido_cred_t *cred" "const char *ptr" 71.Ft int 72.Fn fido_cred_set_type "fido_cred_t *cred" "int cose_alg" 73.Sh DESCRIPTION 74The 75.Nm 76set of functions define the various parameters of a FIDO2 77credential, allowing a 78.Fa fido_cred_t 79type to be prepared for a subsequent call to 80.Xr fido_dev_make_cred 3 81or 82.Xr fido_cred_verify 3 . 83For the complete specification of a FIDO2 credential and the format 84of its constituent parts, please refer to the Web Authentication 85(webauthn) standard. 86.Pp 87The 88.Fn fido_cred_set_authdata , 89.Fn fido_cred_set_attstmt , 90.Fn fido_cred_set_x509 , 91.Fn fido_cred_set_sig , 92.Fn fido_cred_set_id , 93and 94.Fn fido_cred_set_clientdata_hash 95functions set the authenticator data, attestation statement, 96attestation certificate, attestation signature, id, and client 97data hash parts of 98.Fa cred 99to 100.Fa ptr , 101where 102.Fa ptr 103points to 104.Fa len 105bytes. 106A copy of 107.Fa ptr 108is made, and no references to the passed pointer are kept. 109.Pp 110The authenticator data passed to 111.Fn fido_cred_set_authdata 112must be a CBOR-encoded byte string, as obtained from 113.Fn fido_cred_authdata_ptr . 114Alternatively, a raw binary blob may be passed to 115.Fn fido_cred_set_authdata_raw . 116An application calling 117.Fn fido_cred_set_authdata 118does not need to call 119.Fn fido_cred_set_id . 120The latter is meant to be used in contexts where the 121credential's authenticator data is not available. 122.Pp 123The attestation statement passed to 124.Fn fido_cred_set_attstmt 125must be a CBOR-encoded map, as obtained from 126.Fn fido_cred_attstmt_ptr . 127An application calling 128.Fn fido_cred_set_attstmt 129does not need to call 130.Fn fido_cred_set_x509 131or 132.Fn fido_cred_set_sig . 133The latter two are meant to be used in contexts where the 134credential's complete attestation statement is not available or 135required. 136.Pp 137The 138.Fn fido_cred_set_clientdata 139function allows an application to set the client data hash of 140.Fa cred 141by specifying the credential's unhashed client data. 142This is required by Windows Hello, which calculates the client data 143hash internally. 144For compatibility with Windows Hello, applications should use 145.Fn fido_cred_set_clientdata 146instead of 147.Fn fido_cred_set_clientdata_hash . 148.Pp 149The 150.Fn fido_cred_set_rp 151function sets the relying party 152.Fa id 153and 154.Fa name 155parameters of 156.Fa cred , 157where 158.Fa id 159and 160.Fa name 161are NUL-terminated UTF-8 strings. 162The contents of 163.Fa id 164and 165.Fa name 166are copied, and no references to the passed pointers are kept. 167.Pp 168The 169.Fn fido_cred_set_user 170function sets the user attributes of 171.Fa cred , 172where 173.Fa user_id 174points to 175.Fa user_id_len 176bytes and 177.Fa name , 178.Fa display_name , 179and 180.Fa icon 181are NUL-terminated UTF-8 strings. 182The contents of 183.Fa user_id , 184.Fa name , 185.Fa display_name , 186and 187.Fa icon 188are copied, and no references to the passed pointers are kept. 189Previously set user attributes are flushed. 190The 191.Fa user_id , 192.Fa name , 193.Fa display_name , 194and 195.Fa icon 196parameters may be NULL. 197.Pp 198The 199.Fn fido_cred_set_extensions 200function sets the extensions of 201.Fa cred 202to the bitmask 203.Fa flags . 204At the moment, only the 205.Dv FIDO_EXT_CRED_BLOB , 206.Dv FIDO_EXT_CRED_PROTECT , 207.Dv FIDO_EXT_HMAC_SECRET , 208.Dv FIDO_EXT_MINPINLEN , 209and 210.Dv FIDO_EXT_LARGEBLOB_KEY 211extensions are supported. 212If 213.Fa flags 214is zero, the extensions of 215.Fa cred 216are cleared. 217.Pp 218The 219.Fn fido_cred_set_blob 220function sets the 221.Dq credBlob 222to be stored with 223.Fa cred 224to the data pointed to by 225.Fa ptr , 226which must be 227.Fa len 228bytes long. 229.Pp 230The 231.Fn fido_cred_set_pin_minlen 232function enables the CTAP 2.1 233.Dv FIDO_EXT_MINPINLEN 234extension on 235.Fa cred 236and sets the expected minimum PIN length of 237.Fa cred 238to 239.Fa len , 240where 241.Fa len 242is greater than zero. 243If 244.Fa len 245is zero, the 246.Dv FIDO_EXT_MINPINLEN 247extension is disabled on 248.Fa cred . 249.Pp 250The 251.Fn fido_cred_set_prot 252function enables the CTAP 2.1 253.Dv FIDO_EXT_CRED_PROTECT 254extension on 255.Fa cred 256and sets the protection of 257.Fa cred 258to the scalar 259.Fa prot . 260At the moment, only the 261.Dv FIDO_CRED_PROT_UV_OPTIONAL , 262.Dv FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID , 263and 264.Dv FIDO_CRED_PROT_UV_REQUIRED 265protections are supported. 266If 267.Fa prot 268is zero, the protection of 269.Fa cred 270is cleared. 271.Pp 272The 273.Fn fido_cred_set_rk 274and 275.Fn fido_cred_set_uv 276functions set the 277.Em rk 278.Pq resident/discoverable key 279and 280.Em uv 281.Pq user verification 282attributes of 283.Fa cred . 284Both are 285.Dv FIDO_OPT_OMIT 286by default, allowing the authenticator to use its default settings. 287.Pp 288The 289.Fn fido_cred_set_fmt 290function sets the attestation format of 291.Fa cred 292to 293.Fa fmt , 294where 295.Fa fmt 296must be 297.Vt "packed" 298.Pq the format used in FIDO2 , 299.Vt "fido-u2f" 300.Pq the format used by U2F , 301or 302.Vt "none" . 303A copy of 304.Fa fmt 305is made, and no references to the passed pointer are kept. 306Note that not all authenticators support FIDO2 and therefore may not 307be able to generate 308.Vt "packed" . 309.Pp 310The 311.Fn fido_cred_set_type 312function sets the type of 313.Fa cred to 314.Fa cose_alg , 315where 316.Fa cose_alg 317is 318.Dv COSE_ES256 , 319.Dv COSE_RS256 , 320or 321.Dv COSE_EDDSA . 322The type of a credential may only be set once. 323Note that not all authenticators support COSE_RS256 or COSE_EDDSA. 324.Pp 325Use of the 326.Nm 327set of functions may happen in two distinct situations: 328when generating a new credential on a FIDO2 device, prior to 329.Xr fido_dev_make_cred 3 330(i.e, in the context of a FIDO2 client), or when validating 331a generated credential using 332.Xr fido_cred_verify 3 333(i.e, in the context of a FIDO2 server). 334.Pp 335For a complete description of the generation of a FIDO2 credential 336and its verification, please refer to the FIDO2 specification. 337A concrete utilisation example of the 338.Nm 339set of functions can be found in the 340.Pa cred.c 341example shipped with 342.Em libfido2 . 343.Sh RETURN VALUES 344The error codes returned by the 345.Nm 346set of functions are defined in 347.In fido/err.h . 348On success, 349.Dv FIDO_OK 350is returned. 351.Sh SEE ALSO 352.Xr fido_cred_exclude 3 , 353.Xr fido_cred_verify 3 , 354.Xr fido_dev_make_cred 3 355