1.\" Copyright (c) 2018 Yubico AB. All rights reserved.
2.\" Use of this source code is governed by a BSD-style
3.\" license that can be found in the LICENSE file.
4.\"
5.Dd $Mdocdate: May 23 2018 $
6.Dt FIDO_CRED_SET_AUTHDATA 3
7.Os
8.Sh NAME
9.Nm fido_cred_set_authdata ,
10.Nm fido_cred_set_authdata_raw ,
11.Nm fido_cred_set_x509 ,
12.Nm fido_cred_set_sig ,
13.Nm fido_cred_set_id ,
14.Nm fido_cred_set_clientdata ,
15.Nm fido_cred_set_clientdata_hash ,
16.Nm fido_cred_set_rp ,
17.Nm fido_cred_set_user ,
18.Nm fido_cred_set_extensions ,
19.Nm fido_cred_set_blob ,
20.Nm fido_cred_set_prot ,
21.Nm fido_cred_set_rk ,
22.Nm fido_cred_set_uv ,
23.Nm fido_cred_set_fmt ,
24.Nm fido_cred_set_type
25.Nd set parameters of a FIDO 2 credential
26.Sh SYNOPSIS
27.In fido.h
28.Bd -literal
29typedef enum {
30	FIDO_OPT_OMIT = 0, /* use authenticator's default */
31	FIDO_OPT_FALSE,    /* explicitly set option to false */
32        FIDO_OPT_TRUE,     /* explicitly set option to true */
33} fido_opt_t;
34.Ed
35.Ft int
36.Fn fido_cred_set_authdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
37.Ft int
38.Fn fido_cred_set_authdata_raw "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
39.Ft int
40.Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
41.Ft int
42.Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
43.Ft int
44.Fn fido_cred_set_id "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
45.Ft int
46.Fn fido_cred_set_clientdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
47.Ft int
48.Fn fido_cred_set_clientdata_hash "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
49.Ft int
50.Fn fido_cred_set_rp "fido_cred_t *cred" "const char *id" "const char *name"
51.Ft int
52.Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon"
53.Ft int
54.Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags"
55.Ft int
56.Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
57.Ft int
58.Fn fido_cred_set_prot "fido_cred_t *cred" "int prot"
59.Ft int
60.Fn fido_cred_set_rk "fido_cred_t *cred" "fido_opt_t rk"
61.Ft int
62.Fn fido_cred_set_uv "fido_cred_t *cred" "fido_opt_t uv"
63.Ft int
64.Fn fido_cred_set_fmt "fido_cred_t *cred" "const char *ptr"
65.Ft int
66.Fn fido_cred_set_type "fido_cred_t *cred" "int cose_alg"
67.Sh DESCRIPTION
68The
69.Nm
70set of functions define the various parameters of a FIDO 2
71credential, allowing a
72.Fa fido_cred_t
73type to be prepared for a subsequent call to
74.Xr fido_dev_make_cred 3
75or
76.Xr fido_cred_verify 3 .
77For the complete specification of a FIDO 2 credential and the format
78of its constituent parts, please refer to the Web Authentication
79(webauthn) standard.
80.Pp
81The
82.Fn fido_cred_set_authdata ,
83.Fn fido_cred_set_x509 ,
84.Fn fido_cred_set_sig ,
85.Fn fido_cred_set_id ,
86and
87.Fn fido_cred_set_clientdata_hash
88functions set the authenticator data, attestation certificate,
89signature, id, and client data hash parts of
90.Fa cred
91to
92.Fa ptr ,
93where
94.Fa ptr
95points to
96.Fa len
97bytes.
98A copy of
99.Fa ptr
100is made, and no references to the passed pointer are kept.
101The authenticator data passed to
102.Fn fido_cred_set_authdata
103must be a CBOR-encoded byte string, as obtained from
104.Fn fido_cred_authdata_ptr .
105Alternatively, a raw binary blob may be passed to
106.Fn fido_cred_set_authdata_raw .
107.Pp
108An application calling
109.Fn fido_cred_set_authdata
110does not need to call
111.Fn fido_cred_set_id .
112The latter is meant to be used in contexts where the
113credential's authenticator data is not available.
114.Pp
115The
116.Fn fido_cred_set_clientdata
117function allows an application to set the client data hash of
118.Fa cred
119by specifying the credential's unhashed client data.
120This is required by Windows Hello, which calculates the client data
121hash internally.
122For compatibility with Windows Hello, applications should use
123.Fn fido_cred_set_clientdata
124instead of
125.Fn fido_cred_set_clientdata_hash .
126.Pp
127The
128.Fn fido_cred_set_rp
129function sets the relying party
130.Fa id
131and
132.Fa name
133parameters of
134.Fa cred ,
135where
136.Fa id
137and
138.Fa name
139are NUL-terminated UTF-8 strings.
140The contents of
141.Fa id
142and
143.Fa name
144are copied, and no references to the passed pointers are kept.
145.Pp
146The
147.Fn fido_cred_set_user
148function sets the user attributes of
149.Fa cred ,
150where
151.Fa user_id
152points to
153.Fa user_id_len
154bytes and
155.Fa name ,
156.Fa display_name ,
157and
158.Fa icon
159are NUL-terminated UTF-8 strings.
160The contents of
161.Fa user_id ,
162.Fa name ,
163.Fa display_name ,
164and
165.Fa icon
166are copied, and no references to the passed pointers are kept.
167Previously set user attributes are flushed.
168The
169.Fa user_id ,
170.Fa name ,
171.Fa display_name ,
172and
173.Fa icon
174parameters may be NULL.
175.Pp
176The
177.Fn fido_cred_set_extensions
178function sets the extensions of
179.Fa cred
180to the bitmask
181.Fa flags .
182At the moment, only the
183.Dv FIDO_EXT_CRED_BLOB ,
184.Dv FIDO_EXT_CRED_PROTECT ,
185.Dv FIDO_EXT_HMAC_SECRET ,
186and
187.Dv FIDO_EXT_LARGEBLOB_KEY
188extensions are supported.
189If
190.Fa flags
191is zero, the extensions of
192.Fa cred
193are cleared.
194.Pp
195The
196.Fn fido_cred_set_blob
197function sets the
198.Dq credBlob
199to be stored with
200.Fa cred
201to the data pointed to by
202.Fa ptr ,
203which must be
204.Fa len
205bytes long.
206.Pp
207The
208.Fn fido_cred_set_prot
209function sets the protection of
210.Fa cred
211to the scalar
212.Fa prot .
213At the moment, only the
214.Dv FIDO_CRED_PROT_UV_OPTIONAL ,
215.Dv FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID ,
216and
217.Dv FIDO_CRED_PROT_UV_REQUIRED
218protections are supported.
219If
220.Fa prot
221is zero, the protection of
222.Fa cred
223is cleared.
224.Pp
225The
226.Fn fido_cred_set_rk
227and
228.Fn fido_cred_set_uv
229functions set the
230.Em rk
231.Pq resident/discoverable key
232and
233.Em uv
234.Pq user verification
235attributes of
236.Fa cred .
237Both are
238.Dv FIDO_OPT_OMIT
239by default, allowing the authenticator to use its default settings.
240.Pp
241The
242.Fn fido_cred_set_fmt
243function sets the attestation format of
244.Fa cred
245to
246.Fa fmt ,
247where
248.Fa fmt
249must be
250.Vt "packed"
251.Pq the format used in FIDO2 ,
252.Vt "fido-u2f"
253.Pq the format used by U2F ,
254or
255.Vt "none" .
256A copy of
257.Fa fmt
258is made, and no references to the passed pointer are kept.
259Note that not all authenticators support FIDO2 and therefore may not
260be able to generate
261.Vt "packed" .
262.Pp
263The
264.Fn fido_cred_set_type
265function sets the type of
266.Fa cred to
267.Fa cose_alg ,
268where
269.Fa cose_alg
270is
271.Dv COSE_ES256 ,
272.Dv COSE_RS256 ,
273or
274.Dv COSE_EDDSA .
275The type of a credential may only be set once.
276Note that not all authenticators support COSE_RS256 or COSE_EDDSA.
277.Pp
278Use of the
279.Nm
280set of functions may happen in two distinct situations:
281when generating a new credential on a FIDO device, prior to
282.Xr fido_dev_make_cred 3
283(i.e, in the context of a FIDO client), or when validating
284a generated credential using
285.Xr fido_cred_verify 3
286(i.e, in the context of a FIDO server).
287.Pp
288For a complete description of the generation of a FIDO 2 credential
289and its verification, please refer to the FIDO 2 specification.
290A concrete utilisation example of the
291.Nm
292set of functions can be found in the
293.Pa cred.c
294example shipped with
295.Em libfido2 .
296.Sh RETURN VALUES
297The error codes returned by the
298.Nm
299set of functions are defined in
300.In fido/err.h .
301On success,
302.Dv FIDO_OK
303is returned.
304.Sh SEE ALSO
305.Xr fido_cred_exclude 3 ,
306.Xr fido_cred_verify 3 ,
307.Xr fido_dev_make_cred 3
308