10afa8e06SEd Maste.\" Copyright (c) 2020 Yubico AB. All rights reserved. 20afa8e06SEd Maste.\" Use of this source code is governed by a BSD-style 30afa8e06SEd Maste.\" license that can be found in the LICENSE file. 40afa8e06SEd Maste.\" 50afa8e06SEd Maste.Dd $Mdocdate: September 22 2020 $ 60afa8e06SEd Maste.Dt FIDO_DEV_ENABLE_ENTATTEST 3 70afa8e06SEd Maste.Os 80afa8e06SEd Maste.Sh NAME 90afa8e06SEd Maste.Nm fido_dev_enable_entattest , 100afa8e06SEd Maste.Nm fido_dev_toggle_always_uv , 110afa8e06SEd Maste.Nm fido_dev_force_pin_change , 12*f540a430SEd Maste.Nm fido_dev_set_pin_minlen , 13*f540a430SEd Maste.Nm fido_dev_set_pin_minlen_rpid 140afa8e06SEd Maste.Nd FIDO 2.1 configuration authenticator API 150afa8e06SEd Maste.Sh SYNOPSIS 160afa8e06SEd Maste.In fido.h 170afa8e06SEd Maste.In fido/config.h 180afa8e06SEd Maste.Ft int 190afa8e06SEd Maste.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin" 200afa8e06SEd Maste.Ft int 210afa8e06SEd Maste.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin" 220afa8e06SEd Maste.Ft int 230afa8e06SEd Maste.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin" 240afa8e06SEd Maste.Ft int 250afa8e06SEd Maste.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin" 26*f540a430SEd Maste.Ft int 27*f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin" 280afa8e06SEd Maste.Sh DESCRIPTION 290afa8e06SEd MasteThe functions described in this page allow configuration of a 300afa8e06SEd MasteFIDO 2.1 authenticator. 310afa8e06SEd Maste.Pp 320afa8e06SEd MasteThe 330afa8e06SEd Maste.Fn fido_dev_enable_entattest 340afa8e06SEd Mastefunction enables the 350afa8e06SEd Maste.Em Enterprise Attestation 360afa8e06SEd Mastefeature on 370afa8e06SEd Maste.Fa dev . 380afa8e06SEd Maste.Em Enterprise Attestation 390afa8e06SEd Masteinstructs the authenticator to include uniquely identifying 400afa8e06SEd Masteinformation in subsequent attestation statements. 410afa8e06SEd MasteThe 420afa8e06SEd Maste.Fa pin 430afa8e06SEd Masteparameter may be NULL if 440afa8e06SEd Maste.Fa dev 450afa8e06SEd Mastedoes not have a PIN set. 460afa8e06SEd Maste.Pp 470afa8e06SEd MasteThe 480afa8e06SEd Maste.Fn fido_dev_toggle_always_uv 490afa8e06SEd Mastefunction toggles the 500afa8e06SEd Maste.Dq user verification always 510afa8e06SEd Mastefeature on 520afa8e06SEd Maste.Fa dev . 530afa8e06SEd MasteWhen set, this toggle enforces user verification at the 540afa8e06SEd Masteauthenticator level for all known credentials. 550afa8e06SEd MasteIf 560afa8e06SEd Maste.Fa dev 570afa8e06SEd Mastesupports U2F (CTAP1) and the user verification methods supported by 580afa8e06SEd Mastethe authenticator do not allow protection of U2F credentials, the 590afa8e06SEd MasteU2F subsystem will be disabled by the authenticator. 600afa8e06SEd MasteThe 610afa8e06SEd Maste.Fa pin 620afa8e06SEd Masteparameter may be NULL if 630afa8e06SEd Maste.Fa dev 640afa8e06SEd Mastedoes not have a PIN set. 650afa8e06SEd Maste.Pp 660afa8e06SEd MasteThe 670afa8e06SEd Maste.Fn fido_dev_force_pin_change 680afa8e06SEd Masteinstructs 690afa8e06SEd Maste.Fa dev 700afa8e06SEd Masteto require a PIN change. 710afa8e06SEd MasteSubsequent PIN authentication attempts against 720afa8e06SEd Maste.Fa dev 730afa8e06SEd Mastewill fail until its PIN is changed. 740afa8e06SEd Maste.Pp 750afa8e06SEd MasteThe 760afa8e06SEd Maste.Fn fido_dev_set_pin_minlen 770afa8e06SEd Mastefunction sets the minimum PIN length of 780afa8e06SEd Maste.Fa dev 790afa8e06SEd Masteto 800afa8e06SEd Maste.Fa len . 810afa8e06SEd MasteMinimum PIN lengths may only be increased. 820afa8e06SEd Maste.Pp 83*f540a430SEd MasteThe 84*f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid 85*f540a430SEd Mastefunction sets the list of relying party identifiers 86*f540a430SEd Maste.Pq RP IDs 87*f540a430SEd Mastethat are allowed to obtain the minimum PIN length of 88*f540a430SEd Maste.Fa dev 89*f540a430SEd Mastethrough the FIDO 2.1 90*f540a430SEd Maste.Dv FIDO_EXT_MINPINLEN 91*f540a430SEd Masteextension. 92*f540a430SEd MasteThe list of RP identifiers is denoted by 93*f540a430SEd Maste.Fa rpid , 94*f540a430SEd Mastea vector of 95*f540a430SEd Maste.Fa n 96*f540a430SEd MasteNUL-terminated UTF-8 strings. 97*f540a430SEd MasteA copy of 98*f540a430SEd Maste.Fa rpid 99*f540a430SEd Masteis made, and no reference to it or its contents is kept. 100*f540a430SEd Maste.Pp 1010afa8e06SEd MasteConfiguration settings are reflected in the payload returned by the 1020afa8e06SEd Masteauthenticator in response to a 1030afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3 1040afa8e06SEd Mastecall. 1050afa8e06SEd Maste.Sh RETURN VALUES 1060afa8e06SEd MasteThe error codes returned by 1070afa8e06SEd Maste.Fn fido_dev_enable_entattest , 1080afa8e06SEd Maste.Fn fido_dev_toggle_always_uv , 1090afa8e06SEd Maste.Fn fido_dev_force_pin_change , 110*f540a430SEd Maste.Fn fido_dev_set_pin_minlen , 1110afa8e06SEd Masteand 112*f540a430SEd Maste.Fn fido_dev_set_pin_minlen_rpid 1130afa8e06SEd Masteare defined in 1140afa8e06SEd Maste.In fido/err.h . 1150afa8e06SEd MasteOn success, 1160afa8e06SEd Maste.Dv FIDO_OK 1170afa8e06SEd Masteis returned. 1180afa8e06SEd Maste.Sh SEE ALSO 119*f540a430SEd Maste.Xr fido_cred_pin_minlen 3 , 1200afa8e06SEd Maste.Xr fido_dev_get_cbor_info 3 , 1210afa8e06SEd Maste.Xr fido_dev_reset 3 122