xref: /freebsd/contrib/libfido2/man/fido_cred_verify.3 (revision e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved.
2.\" Use of this source code is governed by a BSD-style
3.\" license that can be found in the LICENSE file.
4.\"
5.Dd $Mdocdate: May 23 2018 $
6.Dt FIDO_CRED_VERIFY 3
7.Os
8.Sh NAME
9.Nm fido_cred_verify ,
10.Nm fido_cred_verify_self
11.Nd verify the attestation signature of a FIDO2 credential
12.Sh SYNOPSIS
13.In fido.h
14.Ft int
15.Fn fido_cred_verify "const fido_cred_t *cred"
16.Ft int
17.Fn fido_cred_verify_self "const fido_cred_t *cred"
18.Sh DESCRIPTION
19The
20.Fn fido_cred_verify
21and
22.Fn fido_cred_verify_self
23functions verify whether the attestation signature contained in
24.Fa cred
25matches the attributes of the credential.
26Before using
27.Fn fido_cred_verify
28or
29.Fn fido_cred_verify_self
30in a sensitive context, the reader is strongly encouraged to make
31herself familiar with the FIDO2 credential attestation process
32as defined in the Web Authentication (webauthn) standard.
33.Pp
34The
35.Fn fido_cred_verify
36function verifies whether the client data hash, relying party ID,
37credential ID, type, protection policy, minimum PIN length, and
38resident/discoverable key and user verification attributes of
39.Fa cred
40have been attested by the holder of the private counterpart of
41the public key contained in the credential's x509 certificate.
42.Pp
43Please note that the x509 certificate itself is not verified.
44.Pp
45The attestation statement formats supported by
46.Fn fido_cred_verify
47are
48.Em packed ,
49.Em fido-u2f ,
50and
51.Em tpm .
52The attestation type implemented by
53.Fn fido_cred_verify
54is
55.Em Basic Attestation .
56.Pp
57The
58.Fn fido_cred_verify_self
59function verifies whether the client data hash, relying party ID,
60credential ID, type, protection policy, minimum PIN length, and
61resident/discoverable key and user verification attributes of
62.Fa cred
63have been attested by the holder of the credential's private key.
64.Pp
65The attestation statement formats supported by
66.Fn fido_cred_verify_self
67are
68.Em packed
69and
70.Em fido-u2f .
71The attestation type implemented by
72.Fn fido_cred_verify_self
73is
74.Em Self Attestation .
75.Pp
76Other attestation formats and types are not supported.
77.Sh RETURN VALUES
78The error codes returned by
79.Fn fido_cred_verify
80and
81.Fn fido_cred_verify_self
82are defined in
83.In fido/err.h .
84If
85.Fa cred
86passes verification, then
87.Dv FIDO_OK
88is returned.
89.Sh SEE ALSO
90.Xr fido_cred_new 3 ,
91.Xr fido_cred_set_authdata 3
92