xref: /freebsd/contrib/libfido2/man/fido_dev_enable_entattest.3 (revision b5a3a89c50671a1ad29e7c43fe15e7b16feac239)
1.\" Copyright (c) 2020 Yubico AB. All rights reserved.
2.\" Use of this source code is governed by a BSD-style
3.\" license that can be found in the LICENSE file.
4.\"
5.Dd $Mdocdate: September 22 2020 $
6.Dt FIDO_DEV_ENABLE_ENTATTEST 3
7.Os
8.Sh NAME
9.Nm fido_dev_enable_entattest ,
10.Nm fido_dev_toggle_always_uv ,
11.Nm fido_dev_force_pin_change ,
12.Nm fido_dev_set_pin_minlen ,
13.Nm fido_dev_set_pin_minlen_rpid
14.Nd CTAP 2.1 configuration authenticator API
15.Sh SYNOPSIS
16.In fido.h
17.In fido/config.h
18.Ft int
19.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin"
20.Ft int
21.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin"
22.Ft int
23.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin"
24.Ft int
25.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin"
26.Ft int
27.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin"
28.Sh DESCRIPTION
29The functions described in this page allow configuration of a
30CTAP 2.1 authenticator.
31.Pp
32The
33.Fn fido_dev_enable_entattest
34function enables the
35.Em Enterprise Attestation
36feature on
37.Fa dev .
38.Em Enterprise Attestation
39instructs the authenticator to include uniquely identifying
40information in subsequent attestation statements.
41The
42.Fa pin
43parameter may be NULL if
44.Fa dev
45does not have a PIN set.
46.Pp
47The
48.Fn fido_dev_toggle_always_uv
49function toggles the
50.Dq user verification always
51feature on
52.Fa dev .
53When set, this toggle enforces user verification at the
54authenticator level for all known credentials.
55If
56.Fa dev
57supports U2F (CTAP1) and the user verification methods supported by
58the authenticator do not allow protection of U2F credentials, the
59U2F subsystem will be disabled by the authenticator.
60The
61.Fa pin
62parameter may be NULL if
63.Fa dev
64does not have a PIN set.
65.Pp
66The
67.Fn fido_dev_force_pin_change
68instructs
69.Fa dev
70to require a PIN change.
71Subsequent PIN authentication attempts against
72.Fa dev
73will fail until its PIN is changed.
74.Pp
75The
76.Fn fido_dev_set_pin_minlen
77function sets the minimum PIN length of
78.Fa dev
79to
80.Fa len .
81Minimum PIN lengths may only be increased.
82.Pp
83The
84.Fn fido_dev_set_pin_minlen_rpid
85function sets the list of relying party identifiers
86.Pq RP IDs
87that are allowed to obtain the minimum PIN length of
88.Fa dev
89through the CTAP 2.1
90.Dv FIDO_EXT_MINPINLEN
91extension.
92The list of RP identifiers is denoted by
93.Fa rpid ,
94a vector of
95.Fa n
96NUL-terminated UTF-8 strings.
97A copy of
98.Fa rpid
99is made, and no reference to it or its contents is kept.
100.Pp
101Configuration settings are reflected in the payload returned by the
102authenticator in response to a
103.Xr fido_dev_get_cbor_info 3
104call.
105.Sh RETURN VALUES
106The error codes returned by
107.Fn fido_dev_enable_entattest ,
108.Fn fido_dev_toggle_always_uv ,
109.Fn fido_dev_force_pin_change ,
110.Fn fido_dev_set_pin_minlen ,
111and
112.Fn fido_dev_set_pin_minlen_rpid
113are defined in
114.In fido/err.h .
115On success,
116.Dv FIDO_OK
117is returned.
118.Sh SEE ALSO
119.Xr fido_cred_pin_minlen 3 ,
120.Xr fido_dev_get_cbor_info 3 ,
121.Xr fido_dev_reset 3
122