1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions are 5.\" met: 6.\" 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in 11.\" the documentation and/or other materials provided with the 12.\" distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 15.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 16.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 17.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 18.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 20.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 24.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" SPDX-License-Identifier: BSD-2-Clause 27.\" 28.Dd $Mdocdate: May 23 2018 $ 29.Dt FIDO_CRED_VERIFY 3 30.Os 31.Sh NAME 32.Nm fido_cred_verify , 33.Nm fido_cred_verify_self 34.Nd verify the attestation signature of a FIDO2 credential 35.Sh SYNOPSIS 36.In fido.h 37.Ft int 38.Fn fido_cred_verify "const fido_cred_t *cred" 39.Ft int 40.Fn fido_cred_verify_self "const fido_cred_t *cred" 41.Sh DESCRIPTION 42The 43.Fn fido_cred_verify 44and 45.Fn fido_cred_verify_self 46functions verify whether the attestation signature contained in 47.Fa cred 48matches the attributes of the credential. 49Before using 50.Fn fido_cred_verify 51or 52.Fn fido_cred_verify_self 53in a sensitive context, the reader is strongly encouraged to make 54herself familiar with the FIDO2 credential attestation process 55as defined in the Web Authentication (webauthn) standard. 56.Pp 57The 58.Fn fido_cred_verify 59function verifies whether the client data hash, relying party ID, 60credential ID, type, protection policy, minimum PIN length, and 61resident/discoverable key and user verification attributes of 62.Fa cred 63have been attested by the holder of the private counterpart of 64the public key contained in the credential's x509 certificate. 65.Pp 66Please note that the x509 certificate itself is not verified. 67.Pp 68The attestation statement formats supported by 69.Fn fido_cred_verify 70are 71.Em packed , 72.Em fido-u2f , 73and 74.Em tpm . 75The attestation type implemented by 76.Fn fido_cred_verify 77is 78.Em Basic Attestation . 79.Pp 80The 81.Fn fido_cred_verify_self 82function verifies whether the client data hash, relying party ID, 83credential ID, type, protection policy, minimum PIN length, and 84resident/discoverable key and user verification attributes of 85.Fa cred 86have been attested by the holder of the credential's private key. 87.Pp 88The attestation statement formats supported by 89.Fn fido_cred_verify_self 90are 91.Em packed 92and 93.Em fido-u2f . 94The attestation type implemented by 95.Fn fido_cred_verify_self 96is 97.Em Self Attestation . 98.Pp 99Other attestation formats and types are not supported. 100.Sh RETURN VALUES 101The error codes returned by 102.Fn fido_cred_verify 103and 104.Fn fido_cred_verify_self 105are defined in 106.In fido/err.h . 107If 108.Fa cred 109passes verification, then 110.Dv FIDO_OK 111is returned. 112.Sh SEE ALSO 113.Xr fido_cred_new 3 , 114.Xr fido_cred_set_authdata 3 115