xref: /freebsd/contrib/libfido2/man/fido_dev_enable_entattest.3 (revision 3e696dfb7009cd8ffa12e36f48f4339bb7a2048d) 
10afa8e06SEd Maste.\" Copyright (c) 2020 Yubico AB. All rights reserved.
20afa8e06SEd Maste.\" Use of this source code is governed by a BSD-style
30afa8e06SEd Maste.\" license that can be found in the LICENSE file.
40afa8e06SEd Maste.\"
50afa8e06SEd Maste.Dd $Mdocdate: September 22 2020 $
60afa8e06SEd Maste.Dt FIDO_DEV_ENABLE_ENTATTEST 3
70afa8e06SEd Maste.Os
80afa8e06SEd Maste.Sh NAME
90afa8e06SEd Maste.Nm fido_dev_enable_entattest ,
100afa8e06SEd Maste.Nm fido_dev_toggle_always_uv ,
110afa8e06SEd Maste.Nm fido_dev_force_pin_change ,
12f540a430SEd Maste.Nm fido_dev_set_pin_minlen ,
13f540a430SEd Maste.Nm fido_dev_set_pin_minlen_rpid
14*3e696dfbSEd Maste.Nd CTAP 2.1 configuration authenticator API
150afa8e06SEd Maste.Sh SYNOPSIS
160afa8e06SEd Maste.In fido.h
170afa8e06SEd Maste.In fido/config.h
180afa8e06SEd Maste.Ft int
190afa8e06SEd Maste.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin"
200afa8e06SEd Maste.Ft int
210afa8e06SEd Maste.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin"
220afa8e06SEd Maste.Ft int
230afa8e06SEd Maste.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin"
240afa8e06SEd Maste.Ft int
250afa8e06SEd Maste.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin"
26f540a430SEd Maste.Ft int
27f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin"
280afa8e06SEd Maste.Sh DESCRIPTION
290afa8e06SEd MasteThe functions described in this page allow configuration of a
30*3e696dfbSEd MasteCTAP 2.1 authenticator.
310afa8e06SEd Maste.Pp
320afa8e06SEd MasteThe
330afa8e06SEd Maste.Fn fido_dev_enable_entattest
340afa8e06SEd Mastefunction enables the
350afa8e06SEd Maste.Em Enterprise Attestation
360afa8e06SEd Mastefeature on
370afa8e06SEd Maste.Fa dev .
380afa8e06SEd Maste.Em Enterprise Attestation
390afa8e06SEd Masteinstructs the authenticator to include uniquely identifying
400afa8e06SEd Masteinformation in subsequent attestation statements.
410afa8e06SEd MasteThe
420afa8e06SEd Maste.Fa pin
430afa8e06SEd Masteparameter may be NULL if
440afa8e06SEd Maste.Fa dev
450afa8e06SEd Mastedoes not have a PIN set.
460afa8e06SEd Maste.Pp
470afa8e06SEd MasteThe
480afa8e06SEd Maste.Fn fido_dev_toggle_always_uv
490afa8e06SEd Mastefunction toggles the
500afa8e06SEd Maste.Dq user verification always
510afa8e06SEd Mastefeature on
520afa8e06SEd Maste.Fa dev .
530afa8e06SEd MasteWhen set, this toggle enforces user verification at the
540afa8e06SEd Masteauthenticator level for all known credentials.
550afa8e06SEd MasteIf
560afa8e06SEd Maste.Fa dev
570afa8e06SEd Mastesupports U2F (CTAP1) and the user verification methods supported by
580afa8e06SEd Mastethe authenticator do not allow protection of U2F credentials, the
590afa8e06SEd MasteU2F subsystem will be disabled by the authenticator.
600afa8e06SEd MasteThe
610afa8e06SEd Maste.Fa pin
620afa8e06SEd Masteparameter may be NULL if
630afa8e06SEd Maste.Fa dev
640afa8e06SEd Mastedoes not have a PIN set.
650afa8e06SEd Maste.Pp
660afa8e06SEd MasteThe
670afa8e06SEd Maste.Fn fido_dev_force_pin_change
680afa8e06SEd Masteinstructs
690afa8e06SEd Maste.Fa dev
700afa8e06SEd Masteto require a PIN change.
710afa8e06SEd MasteSubsequent PIN authentication attempts against
720afa8e06SEd Maste.Fa dev
730afa8e06SEd Mastewill fail until its PIN is changed.
740afa8e06SEd Maste.Pp
750afa8e06SEd MasteThe
760afa8e06SEd Maste.Fn fido_dev_set_pin_minlen
770afa8e06SEd Mastefunction sets the minimum PIN length of
780afa8e06SEd Maste.Fa dev
790afa8e06SEd Masteto
800afa8e06SEd Maste.Fa len .
810afa8e06SEd MasteMinimum PIN lengths may only be increased.
820afa8e06SEd Maste.Pp
83f540a430SEd MasteThe
84f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid
85f540a430SEd Mastefunction sets the list of relying party identifiers
86f540a430SEd Maste.Pq RP IDs
87f540a430SEd Mastethat are allowed to obtain the minimum PIN length of
88f540a430SEd Maste.Fa dev
89*3e696dfbSEd Mastethrough the CTAP 2.1
90f540a430SEd Maste.Dv FIDO_EXT_MINPINLEN
91f540a430SEd Masteextension.
92f540a430SEd MasteThe list of RP identifiers is denoted by
93f540a430SEd Maste.Fa rpid ,
94f540a430SEd Mastea vector of
95f540a430SEd Maste.Fa n
96f540a430SEd MasteNUL-terminated UTF-8 strings.
97f540a430SEd MasteA copy of
98f540a430SEd Maste.Fa rpid
99f540a430SEd Masteis made, and no reference to it or its contents is kept.
100f540a430SEd Maste.Pp
1010afa8e06SEd MasteConfiguration settings are reflected in the payload returned by the
1020afa8e06SEd Masteauthenticator in response to a
1030afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3
1040afa8e06SEd Mastecall.
1050afa8e06SEd Maste.Sh RETURN VALUES
1060afa8e06SEd MasteThe error codes returned by
1070afa8e06SEd Maste.Fn fido_dev_enable_entattest ,
1080afa8e06SEd Maste.Fn fido_dev_toggle_always_uv ,
1090afa8e06SEd Maste.Fn fido_dev_force_pin_change ,
110f540a430SEd Maste.Fn fido_dev_set_pin_minlen ,
1110afa8e06SEd Masteand
112f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid
1130afa8e06SEd Masteare defined in
1140afa8e06SEd Maste.In fido/err.h .
1150afa8e06SEd MasteOn success,
1160afa8e06SEd Maste.Dv FIDO_OK
1170afa8e06SEd Masteis returned.
1180afa8e06SEd Maste.Sh SEE ALSO
119f540a430SEd Maste.Xr fido_cred_pin_minlen 3 ,
1200afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3 ,
1210afa8e06SEd Maste.Xr fido_dev_reset 3
122