1*2ccfa855SEd Maste.\" Copyright (c) 2020-2022 Yubico AB. All rights reserved. 20afa8e06SEd Maste.\" 3*2ccfa855SEd Maste.\" Redistribution and use in source and binary forms, with or without 4*2ccfa855SEd Maste.\" modification, are permitted provided that the following conditions are 5*2ccfa855SEd Maste.\" met: 6*2ccfa855SEd Maste.\" 7*2ccfa855SEd Maste.\" 1. Redistributions of source code must retain the above copyright 8*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer. 9*2ccfa855SEd Maste.\" 2. Redistributions in binary form must reproduce the above copyright 10*2ccfa855SEd Maste.\" notice, this list of conditions and the following disclaimer in 11*2ccfa855SEd Maste.\" the documentation and/or other materials provided with the 12*2ccfa855SEd Maste.\" distribution. 13*2ccfa855SEd Maste.\" 14*2ccfa855SEd Maste.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 15*2ccfa855SEd Maste.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 16*2ccfa855SEd Maste.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 17*2ccfa855SEd Maste.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 18*2ccfa855SEd Maste.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19*2ccfa855SEd Maste.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 20*2ccfa855SEd Maste.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21*2ccfa855SEd Maste.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22*2ccfa855SEd Maste.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23*2ccfa855SEd Maste.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 24*2ccfa855SEd Maste.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25*2ccfa855SEd Maste.\" 26*2ccfa855SEd Maste.\" SPDX-License-Identifier: BSD-2-Clause 27*2ccfa855SEd Maste.\" 28*2ccfa855SEd Maste.Dd $Mdocdate: March 30 2022 $ 290afa8e06SEd Maste.Dt FIDO_DEV_ENABLE_ENTATTEST 3 300afa8e06SEd Maste.Os 310afa8e06SEd Maste.Sh NAME 320afa8e06SEd Maste.Nm fido_dev_enable_entattest , 330afa8e06SEd Maste.Nm fido_dev_toggle_always_uv , 340afa8e06SEd Maste.Nm fido_dev_force_pin_change , 35f540a430SEd Maste.Nm fido_dev_set_pin_minlen , 36f540a430SEd Maste.Nm fido_dev_set_pin_minlen_rpid 373e696dfbSEd Maste.Nd CTAP 2.1 configuration authenticator API 380afa8e06SEd Maste.Sh SYNOPSIS 390afa8e06SEd Maste.In fido.h 400afa8e06SEd Maste.In fido/config.h 410afa8e06SEd Maste.Ft int 420afa8e06SEd Maste.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin" 430afa8e06SEd Maste.Ft int 440afa8e06SEd Maste.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin" 450afa8e06SEd Maste.Ft int 460afa8e06SEd Maste.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin" 470afa8e06SEd Maste.Ft int 480afa8e06SEd Maste.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin" 49f540a430SEd Maste.Ft int 50f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin" 510afa8e06SEd Maste.Sh DESCRIPTION 520afa8e06SEd MasteThe functions described in this page allow configuration of a 533e696dfbSEd MasteCTAP 2.1 authenticator. 540afa8e06SEd Maste.Pp 550afa8e06SEd MasteThe 560afa8e06SEd Maste.Fn fido_dev_enable_entattest 570afa8e06SEd Mastefunction enables the 580afa8e06SEd Maste.Em Enterprise Attestation 590afa8e06SEd Mastefeature on 600afa8e06SEd Maste.Fa dev . 610afa8e06SEd Maste.Em Enterprise Attestation 620afa8e06SEd Masteinstructs the authenticator to include uniquely identifying 630afa8e06SEd Masteinformation in subsequent attestation statements. 640afa8e06SEd MasteThe 650afa8e06SEd Maste.Fa pin 660afa8e06SEd Masteparameter may be NULL if 670afa8e06SEd Maste.Fa dev 680afa8e06SEd Mastedoes not have a PIN set. 690afa8e06SEd Maste.Pp 700afa8e06SEd MasteThe 710afa8e06SEd Maste.Fn fido_dev_toggle_always_uv 720afa8e06SEd Mastefunction toggles the 730afa8e06SEd Maste.Dq user verification always 740afa8e06SEd Mastefeature on 750afa8e06SEd Maste.Fa dev . 760afa8e06SEd MasteWhen set, this toggle enforces user verification at the 770afa8e06SEd Masteauthenticator level for all known credentials. 780afa8e06SEd MasteIf 790afa8e06SEd Maste.Fa dev 800afa8e06SEd Mastesupports U2F (CTAP1) and the user verification methods supported by 810afa8e06SEd Mastethe authenticator do not allow protection of U2F credentials, the 820afa8e06SEd MasteU2F subsystem will be disabled by the authenticator. 830afa8e06SEd MasteThe 840afa8e06SEd Maste.Fa pin 850afa8e06SEd Masteparameter may be NULL if 860afa8e06SEd Maste.Fa dev 870afa8e06SEd Mastedoes not have a PIN set. 880afa8e06SEd Maste.Pp 890afa8e06SEd MasteThe 900afa8e06SEd Maste.Fn fido_dev_force_pin_change 91*2ccfa855SEd Mastefunction instructs 920afa8e06SEd Maste.Fa dev 930afa8e06SEd Masteto require a PIN change. 940afa8e06SEd MasteSubsequent PIN authentication attempts against 950afa8e06SEd Maste.Fa dev 960afa8e06SEd Mastewill fail until its PIN is changed. 970afa8e06SEd Maste.Pp 980afa8e06SEd MasteThe 990afa8e06SEd Maste.Fn fido_dev_set_pin_minlen 1000afa8e06SEd Mastefunction sets the minimum PIN length of 1010afa8e06SEd Maste.Fa dev 1020afa8e06SEd Masteto 1030afa8e06SEd Maste.Fa len . 1040afa8e06SEd MasteMinimum PIN lengths may only be increased. 1050afa8e06SEd Maste.Pp 106f540a430SEd MasteThe 107f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid 108f540a430SEd Mastefunction sets the list of relying party identifiers 109f540a430SEd Maste.Pq RP IDs 110f540a430SEd Mastethat are allowed to obtain the minimum PIN length of 111f540a430SEd Maste.Fa dev 1123e696dfbSEd Mastethrough the CTAP 2.1 113f540a430SEd Maste.Dv FIDO_EXT_MINPINLEN 114f540a430SEd Masteextension. 115f540a430SEd MasteThe list of RP identifiers is denoted by 116f540a430SEd Maste.Fa rpid , 117f540a430SEd Mastea vector of 118f540a430SEd Maste.Fa n 119f540a430SEd MasteNUL-terminated UTF-8 strings. 120f540a430SEd MasteA copy of 121f540a430SEd Maste.Fa rpid 122f540a430SEd Masteis made, and no reference to it or its contents is kept. 123*2ccfa855SEd MasteThe maximum value of 124*2ccfa855SEd Maste.Fa n 125*2ccfa855SEd Mastesupported by the authenticator can be obtained using 126*2ccfa855SEd Maste.Xr fido_cbor_info_maxrpid_minpinlen 3 . 127f540a430SEd Maste.Pp 1280afa8e06SEd MasteConfiguration settings are reflected in the payload returned by the 1290afa8e06SEd Masteauthenticator in response to a 1300afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3 1310afa8e06SEd Mastecall. 1320afa8e06SEd Maste.Sh RETURN VALUES 1330afa8e06SEd MasteThe error codes returned by 1340afa8e06SEd Maste.Fn fido_dev_enable_entattest , 1350afa8e06SEd Maste.Fn fido_dev_toggle_always_uv , 1360afa8e06SEd Maste.Fn fido_dev_force_pin_change , 137f540a430SEd Maste.Fn fido_dev_set_pin_minlen , 1380afa8e06SEd Masteand 139f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid 1400afa8e06SEd Masteare defined in 1410afa8e06SEd Maste.In fido/err.h . 1420afa8e06SEd MasteOn success, 1430afa8e06SEd Maste.Dv FIDO_OK 1440afa8e06SEd Masteis returned. 1450afa8e06SEd Maste.Sh SEE ALSO 146*2ccfa855SEd Maste.Xr fido_cbor_info_maxrpid_minpinlen 3 , 147f540a430SEd Maste.Xr fido_cred_pin_minlen 3 , 1480afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3 , 1490afa8e06SEd Maste.Xr fido_dev_reset 3 150