xref: /freebsd/contrib/libfido2/man/fido_dev_enable_entattest.3 (revision fe75646a0234a261c0013bf1840fdac4acaf0cec)
1.\" Copyright (c) 2020-2022 Yubico AB. All rights reserved.
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions are
5.\" met:
6.\"
7.\"    1. Redistributions of source code must retain the above copyright
8.\"       notice, this list of conditions and the following disclaimer.
9.\"    2. Redistributions in binary form must reproduce the above copyright
10.\"       notice, this list of conditions and the following disclaimer in
11.\"       the documentation and/or other materials provided with the
12.\"       distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25.\"
26.\" SPDX-License-Identifier: BSD-2-Clause
27.\"
28.Dd $Mdocdate: March 30 2022 $
29.Dt FIDO_DEV_ENABLE_ENTATTEST 3
30.Os
31.Sh NAME
32.Nm fido_dev_enable_entattest ,
33.Nm fido_dev_toggle_always_uv ,
34.Nm fido_dev_force_pin_change ,
35.Nm fido_dev_set_pin_minlen ,
36.Nm fido_dev_set_pin_minlen_rpid
37.Nd CTAP 2.1 configuration authenticator API
38.Sh SYNOPSIS
39.In fido.h
40.In fido/config.h
41.Ft int
42.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin"
43.Ft int
44.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin"
45.Ft int
46.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin"
47.Ft int
48.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin"
49.Ft int
50.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin"
51.Sh DESCRIPTION
52The functions described in this page allow configuration of a
53CTAP 2.1 authenticator.
54.Pp
55The
56.Fn fido_dev_enable_entattest
57function enables the
58.Em Enterprise Attestation
59feature on
60.Fa dev .
61.Em Enterprise Attestation
62instructs the authenticator to include uniquely identifying
63information in subsequent attestation statements.
64The
65.Fa pin
66parameter may be NULL if
67.Fa dev
68does not have a PIN set.
69.Pp
70The
71.Fn fido_dev_toggle_always_uv
72function toggles the
73.Dq user verification always
74feature on
75.Fa dev .
76When set, this toggle enforces user verification at the
77authenticator level for all known credentials.
78If
79.Fa dev
80supports U2F (CTAP1) and the user verification methods supported by
81the authenticator do not allow protection of U2F credentials, the
82U2F subsystem will be disabled by the authenticator.
83The
84.Fa pin
85parameter may be NULL if
86.Fa dev
87does not have a PIN set.
88.Pp
89The
90.Fn fido_dev_force_pin_change
91function instructs
92.Fa dev
93to require a PIN change.
94Subsequent PIN authentication attempts against
95.Fa dev
96will fail until its PIN is changed.
97.Pp
98The
99.Fn fido_dev_set_pin_minlen
100function sets the minimum PIN length of
101.Fa dev
102to
103.Fa len .
104Minimum PIN lengths may only be increased.
105.Pp
106The
107.Fn fido_dev_set_pin_minlen_rpid
108function sets the list of relying party identifiers
109.Pq RP IDs
110that are allowed to obtain the minimum PIN length of
111.Fa dev
112through the CTAP 2.1
113.Dv FIDO_EXT_MINPINLEN
114extension.
115The list of RP identifiers is denoted by
116.Fa rpid ,
117a vector of
118.Fa n
119NUL-terminated UTF-8 strings.
120A copy of
121.Fa rpid
122is made, and no reference to it or its contents is kept.
123The maximum value of
124.Fa n
125supported by the authenticator can be obtained using
126.Xr fido_cbor_info_maxrpid_minpinlen 3 .
127.Pp
128Configuration settings are reflected in the payload returned by the
129authenticator in response to a
130.Xr fido_dev_get_cbor_info 3
131call.
132.Sh RETURN VALUES
133The error codes returned by
134.Fn fido_dev_enable_entattest ,
135.Fn fido_dev_toggle_always_uv ,
136.Fn fido_dev_force_pin_change ,
137.Fn fido_dev_set_pin_minlen ,
138and
139.Fn fido_dev_set_pin_minlen_rpid
140are defined in
141.In fido/err.h .
142On success,
143.Dv FIDO_OK
144is returned.
145.Sh SEE ALSO
146.Xr fido_cbor_info_maxrpid_minpinlen 3 ,
147.Xr fido_cred_pin_minlen 3 ,
148.Xr fido_dev_get_cbor_info 3 ,
149.Xr fido_dev_reset 3
150