1.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions are
5.\" met:
6.\"
7.\"    1. Redistributions of source code must retain the above copyright
8.\"       notice, this list of conditions and the following disclaimer.
9.\"    2. Redistributions in binary form must reproduce the above copyright
10.\"       notice, this list of conditions and the following disclaimer in
11.\"       the documentation and/or other materials provided with the
12.\"       distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25.\"
26.\" SPDX-License-Identifier: BSD-2-Clause
27.\"
28.Dd $Mdocdate: July 15 2022 $
29.Dt FIDO_CRED_SET_AUTHDATA 3
30.Os
31.Sh NAME
32.Nm fido_cred_set_authdata ,
33.Nm fido_cred_set_authdata_raw ,
34.Nm fido_cred_set_attstmt ,
35.Nm fido_cred_set_x509 ,
36.Nm fido_cred_set_sig ,
37.Nm fido_cred_set_id ,
38.Nm fido_cred_set_clientdata ,
39.Nm fido_cred_set_clientdata_hash ,
40.Nm fido_cred_set_rp ,
41.Nm fido_cred_set_user ,
42.Nm fido_cred_set_extensions ,
43.Nm fido_cred_set_blob ,
44.Nm fido_cred_set_pin_minlen ,
45.Nm fido_cred_set_prot ,
46.Nm fido_cred_set_rk ,
47.Nm fido_cred_set_uv ,
48.Nm fido_cred_set_fmt ,
49.Nm fido_cred_set_type
50.Nd set parameters of a FIDO2 credential
51.Sh SYNOPSIS
52.In fido.h
53.Bd -literal
54typedef enum {
55	FIDO_OPT_OMIT = 0, /* use authenticator's default */
56	FIDO_OPT_FALSE,    /* explicitly set option to false */
57        FIDO_OPT_TRUE,     /* explicitly set option to true */
58} fido_opt_t;
59.Ed
60.Ft int
61.Fn fido_cred_set_authdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
62.Ft int
63.Fn fido_cred_set_authdata_raw "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
64.Ft int
65.Fn fido_cred_set_attstmt "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
66.Ft int
67.Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
68.Ft int
69.Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
70.Ft int
71.Fn fido_cred_set_id "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
72.Ft int
73.Fn fido_cred_set_clientdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
74.Ft int
75.Fn fido_cred_set_clientdata_hash "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
76.Ft int
77.Fn fido_cred_set_rp "fido_cred_t *cred" "const char *id" "const char *name"
78.Ft int
79.Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon"
80.Ft int
81.Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags"
82.Ft int
83.Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
84.Ft int
85.Fn fido_cred_set_pin_minlen "fido_cred_t *cred" "size_t len"
86.Ft int
87.Fn fido_cred_set_prot "fido_cred_t *cred" "int prot"
88.Ft int
89.Fn fido_cred_set_rk "fido_cred_t *cred" "fido_opt_t rk"
90.Ft int
91.Fn fido_cred_set_uv "fido_cred_t *cred" "fido_opt_t uv"
92.Ft int
93.Fn fido_cred_set_fmt "fido_cred_t *cred" "const char *ptr"
94.Ft int
95.Fn fido_cred_set_type "fido_cred_t *cred" "int cose_alg"
96.Sh DESCRIPTION
97The
98.Nm
99set of functions define the various parameters of a FIDO2
100credential, allowing a
101.Fa fido_cred_t
102type to be prepared for a subsequent call to
103.Xr fido_dev_make_cred 3
104or
105.Xr fido_cred_verify 3 .
106For the complete specification of a FIDO2 credential and the format
107of its constituent parts, please refer to the Web Authentication
108(webauthn) standard.
109.Pp
110The
111.Fn fido_cred_set_authdata ,
112.Fn fido_cred_set_attstmt ,
113.Fn fido_cred_set_x509 ,
114.Fn fido_cred_set_sig ,
115.Fn fido_cred_set_id ,
116and
117.Fn fido_cred_set_clientdata_hash
118functions set the authenticator data, attestation statement,
119attestation certificate, attestation signature, id, and client
120data hash parts of
121.Fa cred
122to
123.Fa ptr ,
124where
125.Fa ptr
126points to
127.Fa len
128bytes.
129A copy of
130.Fa ptr
131is made, and no references to the passed pointer are kept.
132.Pp
133The authenticator data passed to
134.Fn fido_cred_set_authdata
135must be a CBOR-encoded byte string, as obtained from
136.Fn fido_cred_authdata_ptr .
137Alternatively, a raw binary blob may be passed to
138.Fn fido_cred_set_authdata_raw .
139An application calling
140.Fn fido_cred_set_authdata
141does not need to call
142.Fn fido_cred_set_id .
143The latter is meant to be used in contexts where the
144credential's authenticator data is not available.
145.Pp
146The attestation statement passed to
147.Fn fido_cred_set_attstmt
148must be a CBOR-encoded map, as obtained from
149.Fn fido_cred_attstmt_ptr .
150An application calling
151.Fn fido_cred_set_attstmt
152does not need to call
153.Fn fido_cred_set_x509
154or
155.Fn fido_cred_set_sig .
156The latter two are meant to be used in contexts where the
157credential's complete attestation statement is not available or
158required.
159.Pp
160The
161.Fn fido_cred_set_clientdata
162function allows an application to set the client data hash of
163.Fa cred
164by specifying the credential's unhashed client data.
165This is required by Windows Hello, which calculates the client data
166hash internally.
167For compatibility with Windows Hello, applications should use
168.Fn fido_cred_set_clientdata
169instead of
170.Fn fido_cred_set_clientdata_hash .
171.Pp
172The
173.Fn fido_cred_set_rp
174function sets the relying party
175.Fa id
176and
177.Fa name
178parameters of
179.Fa cred ,
180where
181.Fa id
182and
183.Fa name
184are NUL-terminated UTF-8 strings.
185The contents of
186.Fa id
187and
188.Fa name
189are copied, and no references to the passed pointers are kept.
190.Pp
191The
192.Fn fido_cred_set_user
193function sets the user attributes of
194.Fa cred ,
195where
196.Fa user_id
197points to
198.Fa user_id_len
199bytes and
200.Fa name ,
201.Fa display_name ,
202and
203.Fa icon
204are NUL-terminated UTF-8 strings.
205The contents of
206.Fa user_id ,
207.Fa name ,
208.Fa display_name ,
209and
210.Fa icon
211are copied, and no references to the passed pointers are kept.
212Previously set user attributes are flushed.
213The
214.Fa user_id ,
215.Fa name ,
216.Fa display_name ,
217and
218.Fa icon
219parameters may be NULL.
220.Pp
221The
222.Fn fido_cred_set_extensions
223function sets the extensions of
224.Fa cred
225to the bitmask
226.Fa flags .
227At the moment, only the
228.Dv FIDO_EXT_CRED_BLOB ,
229.Dv FIDO_EXT_CRED_PROTECT ,
230.Dv FIDO_EXT_HMAC_SECRET ,
231.Dv FIDO_EXT_MINPINLEN ,
232and
233.Dv FIDO_EXT_LARGEBLOB_KEY
234extensions are supported.
235If
236.Fa flags
237is zero, the extensions of
238.Fa cred
239are cleared.
240.Pp
241The
242.Fn fido_cred_set_blob
243function sets the
244.Dq credBlob
245to be stored with
246.Fa cred
247to the data pointed to by
248.Fa ptr ,
249which must be
250.Fa len
251bytes long.
252.Pp
253The
254.Fn fido_cred_set_pin_minlen
255function enables the CTAP 2.1
256.Dv FIDO_EXT_MINPINLEN
257extension on
258.Fa cred
259and sets the expected minimum PIN length of
260.Fa cred
261to
262.Fa len ,
263where
264.Fa len
265is greater than zero.
266If
267.Fa len
268is zero, the
269.Dv FIDO_EXT_MINPINLEN
270extension is disabled on
271.Fa cred .
272.Pp
273The
274.Fn fido_cred_set_prot
275function enables the CTAP 2.1
276.Dv FIDO_EXT_CRED_PROTECT
277extension on
278.Fa cred
279and sets the protection of
280.Fa cred
281to the scalar
282.Fa prot .
283At the moment, only the
284.Dv FIDO_CRED_PROT_UV_OPTIONAL ,
285.Dv FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID ,
286and
287.Dv FIDO_CRED_PROT_UV_REQUIRED
288protections are supported.
289If
290.Fa prot
291is zero, the protection of
292.Fa cred
293is cleared.
294.Pp
295The
296.Fn fido_cred_set_rk
297and
298.Fn fido_cred_set_uv
299functions set the
300.Em rk
301.Pq resident/discoverable key
302and
303.Em uv
304.Pq user verification
305attributes of
306.Fa cred .
307Both are
308.Dv FIDO_OPT_OMIT
309by default, allowing the authenticator to use its default settings.
310.Pp
311The
312.Fn fido_cred_set_fmt
313function sets the attestation statement format identifier of
314.Fa cred
315to
316.Fa fmt ,
317where
318.Fa fmt
319must be
320.Vt "packed"
321.Pq the format used in FIDO2 ,
322.Vt "fido-u2f"
323.Pq the format used in U2F ,
324.Vt "tpm"
325.Pq the format used by TPM-based authenticators ,
326or
327.Vt "none" .
328A copy of
329.Fa fmt
330is made, and no references to the passed pointer are kept.
331Note that not all authenticators support FIDO2 and therefore may only
332be able to generate
333.Vt fido-u2f
334attestation statements.
335.Pp
336The
337.Fn fido_cred_set_type
338function sets the type of
339.Fa cred to
340.Fa cose_alg ,
341where
342.Fa cose_alg
343is
344.Dv COSE_ES256 ,
345.Dv COSE_ES384 ,
346.Dv COSE_RS256 ,
347or
348.Dv COSE_EDDSA .
349The type of a credential may only be set once.
350Note that not all authenticators support COSE_RS256, COSE_ES384, or
351COSE_EDDSA.
352.Pp
353Use of the
354.Nm
355set of functions may happen in two distinct situations:
356when generating a new credential on a FIDO2 device, prior to
357.Xr fido_dev_make_cred 3
358(i.e, in the context of a FIDO2 client), or when validating
359a generated credential using
360.Xr fido_cred_verify 3
361(i.e, in the context of a FIDO2 server).
362.Pp
363For a complete description of the generation of a FIDO2 credential
364and its verification, please refer to the FIDO2 specification.
365A concrete utilisation example of the
366.Nm
367set of functions can be found in the
368.Pa cred.c
369example shipped with
370.Em libfido2 .
371.Sh RETURN VALUES
372The error codes returned by the
373.Nm
374set of functions are defined in
375.In fido/err.h .
376On success,
377.Dv FIDO_OK
378is returned.
379.Sh SEE ALSO
380.Xr fido_cred_exclude 3 ,
381.Xr fido_cred_verify 3 ,
382.Xr fido_dev_make_cred 3
383