1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved.
2.\" Use of this source code is governed by a BSD-style
3.\" license that can be found in the LICENSE file.
4.\"
5.Dd $Mdocdate: May 23 2018 $
6.Dt FIDO_CRED_SET_AUTHDATA 3
7.Os
8.Sh NAME
9.Nm fido_cred_set_authdata ,
10.Nm fido_cred_set_authdata_raw ,
11.Nm fido_cred_set_attstmt ,
12.Nm fido_cred_set_x509 ,
13.Nm fido_cred_set_sig ,
14.Nm fido_cred_set_id ,
15.Nm fido_cred_set_clientdata ,
16.Nm fido_cred_set_clientdata_hash ,
17.Nm fido_cred_set_rp ,
18.Nm fido_cred_set_user ,
19.Nm fido_cred_set_extensions ,
20.Nm fido_cred_set_blob ,
21.Nm fido_cred_set_pin_minlen ,
22.Nm fido_cred_set_prot ,
23.Nm fido_cred_set_rk ,
24.Nm fido_cred_set_uv ,
25.Nm fido_cred_set_fmt ,
26.Nm fido_cred_set_type
27.Nd set parameters of a FIDO2 credential
28.Sh SYNOPSIS
29.In fido.h
30.Bd -literal
31typedef enum {
32	FIDO_OPT_OMIT = 0, /* use authenticator's default */
33	FIDO_OPT_FALSE,    /* explicitly set option to false */
34        FIDO_OPT_TRUE,     /* explicitly set option to true */
35} fido_opt_t;
36.Ed
37.Ft int
38.Fn fido_cred_set_authdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
39.Ft int
40.Fn fido_cred_set_authdata_raw "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
41.Ft int
42.Fn fido_cred_set_attstmt "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
43.Ft int
44.Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
45.Ft int
46.Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
47.Ft int
48.Fn fido_cred_set_id "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
49.Ft int
50.Fn fido_cred_set_clientdata "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
51.Ft int
52.Fn fido_cred_set_clientdata_hash "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
53.Ft int
54.Fn fido_cred_set_rp "fido_cred_t *cred" "const char *id" "const char *name"
55.Ft int
56.Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon"
57.Ft int
58.Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags"
59.Ft int
60.Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
61.Ft int
62.Fn fido_cred_set_pin_minlen "fido_cred_t *cred" "size_t len"
63.Ft int
64.Fn fido_cred_set_prot "fido_cred_t *cred" "int prot"
65.Ft int
66.Fn fido_cred_set_rk "fido_cred_t *cred" "fido_opt_t rk"
67.Ft int
68.Fn fido_cred_set_uv "fido_cred_t *cred" "fido_opt_t uv"
69.Ft int
70.Fn fido_cred_set_fmt "fido_cred_t *cred" "const char *ptr"
71.Ft int
72.Fn fido_cred_set_type "fido_cred_t *cred" "int cose_alg"
73.Sh DESCRIPTION
74The
75.Nm
76set of functions define the various parameters of a FIDO2
77credential, allowing a
78.Fa fido_cred_t
79type to be prepared for a subsequent call to
80.Xr fido_dev_make_cred 3
81or
82.Xr fido_cred_verify 3 .
83For the complete specification of a FIDO2 credential and the format
84of its constituent parts, please refer to the Web Authentication
85(webauthn) standard.
86.Pp
87The
88.Fn fido_cred_set_authdata ,
89.Fn fido_cred_set_attstmt ,
90.Fn fido_cred_set_x509 ,
91.Fn fido_cred_set_sig ,
92.Fn fido_cred_set_id ,
93and
94.Fn fido_cred_set_clientdata_hash
95functions set the authenticator data, attestation statement,
96attestation certificate, attestation signature, id, and client
97data hash parts of
98.Fa cred
99to
100.Fa ptr ,
101where
102.Fa ptr
103points to
104.Fa len
105bytes.
106A copy of
107.Fa ptr
108is made, and no references to the passed pointer are kept.
109.Pp
110The authenticator data passed to
111.Fn fido_cred_set_authdata
112must be a CBOR-encoded byte string, as obtained from
113.Fn fido_cred_authdata_ptr .
114Alternatively, a raw binary blob may be passed to
115.Fn fido_cred_set_authdata_raw .
116An application calling
117.Fn fido_cred_set_authdata
118does not need to call
119.Fn fido_cred_set_id .
120The latter is meant to be used in contexts where the
121credential's authenticator data is not available.
122.Pp
123The attestation statement passed to
124.Fn fido_cred_set_attstmt
125must be a CBOR-encoded map, as obtained from
126.Fn fido_cred_attstmt_ptr .
127An application calling
128.Fn fido_cred_set_attstmt
129does not need to call
130.Fn fido_cred_set_x509
131or
132.Fn fido_cred_set_sig .
133The latter two are meant to be used in contexts where the
134credential's complete attestation statement is not available or
135required.
136.Pp
137The
138.Fn fido_cred_set_clientdata
139function allows an application to set the client data hash of
140.Fa cred
141by specifying the credential's unhashed client data.
142This is required by Windows Hello, which calculates the client data
143hash internally.
144For compatibility with Windows Hello, applications should use
145.Fn fido_cred_set_clientdata
146instead of
147.Fn fido_cred_set_clientdata_hash .
148.Pp
149The
150.Fn fido_cred_set_rp
151function sets the relying party
152.Fa id
153and
154.Fa name
155parameters of
156.Fa cred ,
157where
158.Fa id
159and
160.Fa name
161are NUL-terminated UTF-8 strings.
162The contents of
163.Fa id
164and
165.Fa name
166are copied, and no references to the passed pointers are kept.
167.Pp
168The
169.Fn fido_cred_set_user
170function sets the user attributes of
171.Fa cred ,
172where
173.Fa user_id
174points to
175.Fa user_id_len
176bytes and
177.Fa name ,
178.Fa display_name ,
179and
180.Fa icon
181are NUL-terminated UTF-8 strings.
182The contents of
183.Fa user_id ,
184.Fa name ,
185.Fa display_name ,
186and
187.Fa icon
188are copied, and no references to the passed pointers are kept.
189Previously set user attributes are flushed.
190The
191.Fa user_id ,
192.Fa name ,
193.Fa display_name ,
194and
195.Fa icon
196parameters may be NULL.
197.Pp
198The
199.Fn fido_cred_set_extensions
200function sets the extensions of
201.Fa cred
202to the bitmask
203.Fa flags .
204At the moment, only the
205.Dv FIDO_EXT_CRED_BLOB ,
206.Dv FIDO_EXT_CRED_PROTECT ,
207.Dv FIDO_EXT_HMAC_SECRET ,
208.Dv FIDO_EXT_MINPINLEN ,
209and
210.Dv FIDO_EXT_LARGEBLOB_KEY
211extensions are supported.
212If
213.Fa flags
214is zero, the extensions of
215.Fa cred
216are cleared.
217.Pp
218The
219.Fn fido_cred_set_blob
220function sets the
221.Dq credBlob
222to be stored with
223.Fa cred
224to the data pointed to by
225.Fa ptr ,
226which must be
227.Fa len
228bytes long.
229.Pp
230The
231.Fn fido_cred_set_pin_minlen
232function enables the CTAP 2.1
233.Dv FIDO_EXT_MINPINLEN
234extension on
235.Fa cred
236and sets the expected minimum PIN length of
237.Fa cred
238to
239.Fa len ,
240where
241.Fa len
242is greater than zero.
243If
244.Fa len
245is zero, the
246.Dv FIDO_EXT_MINPINLEN
247extension is disabled on
248.Fa cred .
249.Pp
250The
251.Fn fido_cred_set_prot
252function enables the CTAP 2.1
253.Dv FIDO_EXT_CRED_PROTECT
254extension on
255.Fa cred
256and sets the protection of
257.Fa cred
258to the scalar
259.Fa prot .
260At the moment, only the
261.Dv FIDO_CRED_PROT_UV_OPTIONAL ,
262.Dv FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID ,
263and
264.Dv FIDO_CRED_PROT_UV_REQUIRED
265protections are supported.
266If
267.Fa prot
268is zero, the protection of
269.Fa cred
270is cleared.
271.Pp
272The
273.Fn fido_cred_set_rk
274and
275.Fn fido_cred_set_uv
276functions set the
277.Em rk
278.Pq resident/discoverable key
279and
280.Em uv
281.Pq user verification
282attributes of
283.Fa cred .
284Both are
285.Dv FIDO_OPT_OMIT
286by default, allowing the authenticator to use its default settings.
287.Pp
288The
289.Fn fido_cred_set_fmt
290function sets the attestation format of
291.Fa cred
292to
293.Fa fmt ,
294where
295.Fa fmt
296must be
297.Vt "packed"
298.Pq the format used in FIDO2 ,
299.Vt "fido-u2f"
300.Pq the format used by U2F ,
301or
302.Vt "none" .
303A copy of
304.Fa fmt
305is made, and no references to the passed pointer are kept.
306Note that not all authenticators support FIDO2 and therefore may not
307be able to generate
308.Vt "packed" .
309.Pp
310The
311.Fn fido_cred_set_type
312function sets the type of
313.Fa cred to
314.Fa cose_alg ,
315where
316.Fa cose_alg
317is
318.Dv COSE_ES256 ,
319.Dv COSE_RS256 ,
320or
321.Dv COSE_EDDSA .
322The type of a credential may only be set once.
323Note that not all authenticators support COSE_RS256 or COSE_EDDSA.
324.Pp
325Use of the
326.Nm
327set of functions may happen in two distinct situations:
328when generating a new credential on a FIDO2 device, prior to
329.Xr fido_dev_make_cred 3
330(i.e, in the context of a FIDO2 client), or when validating
331a generated credential using
332.Xr fido_cred_verify 3
333(i.e, in the context of a FIDO2 server).
334.Pp
335For a complete description of the generation of a FIDO2 credential
336and its verification, please refer to the FIDO2 specification.
337A concrete utilisation example of the
338.Nm
339set of functions can be found in the
340.Pa cred.c
341example shipped with
342.Em libfido2 .
343.Sh RETURN VALUES
344The error codes returned by the
345.Nm
346set of functions are defined in
347.In fido/err.h .
348On success,
349.Dv FIDO_OK
350is returned.
351.Sh SEE ALSO
352.Xr fido_cred_exclude 3 ,
353.Xr fido_cred_verify 3 ,
354.Xr fido_dev_make_cred 3
355