1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: May 23 2018 $ 6.Dt FIDO_CRED_VERIFY 3 7.Os 8.Sh NAME 9.Nm fido_cred_verify , 10.Nm fido_cred_verify_self 11.Nd verify the attestation signature of a FIDO2 credential 12.Sh SYNOPSIS 13.In fido.h 14.Ft int 15.Fn fido_cred_verify "const fido_cred_t *cred" 16.Ft int 17.Fn fido_cred_verify_self "const fido_cred_t *cred" 18.Sh DESCRIPTION 19The 20.Fn fido_cred_verify 21and 22.Fn fido_cred_verify_self 23functions verify whether the attestation signature contained in 24.Fa cred 25matches the attributes of the credential. 26Before using 27.Fn fido_cred_verify 28or 29.Fn fido_cred_verify_self 30in a sensitive context, the reader is strongly encouraged to make 31herself familiar with the FIDO2 credential attestation process 32as defined in the Web Authentication (webauthn) standard. 33.Pp 34The 35.Fn fido_cred_verify 36function verifies whether the client data hash, relying party ID, 37credential ID, type, protection policy, minimum PIN length, and 38resident/discoverable key and user verification attributes of 39.Fa cred 40have been attested by the holder of the private counterpart of 41the public key contained in the credential's x509 certificate. 42.Pp 43Please note that the x509 certificate itself is not verified. 44.Pp 45The attestation statement formats supported by 46.Fn fido_cred_verify 47are 48.Em packed , 49.Em fido-u2f , 50and 51.Em tpm . 52The attestation type implemented by 53.Fn fido_cred_verify 54is 55.Em Basic Attestation . 56.Pp 57The 58.Fn fido_cred_verify_self 59function verifies whether the client data hash, relying party ID, 60credential ID, type, protection policy, minimum PIN length, and 61resident/discoverable key and user verification attributes of 62.Fa cred 63have been attested by the holder of the credential's private key. 64.Pp 65The attestation statement formats supported by 66.Fn fido_cred_verify_self 67are 68.Em packed 69and 70.Em fido-u2f . 71The attestation type implemented by 72.Fn fido_cred_verify_self 73is 74.Em Self Attestation . 75.Pp 76Other attestation formats and types are not supported. 77.Sh RETURN VALUES 78The error codes returned by 79.Fn fido_cred_verify 80and 81.Fn fido_cred_verify_self 82are defined in 83.In fido/err.h . 84If 85.Fa cred 86passes verification, then 87.Dv FIDO_OK 88is returned. 89.Sh SEE ALSO 90.Xr fido_cred_new 3 , 91.Xr fido_cred_set_authdata 3 92