1.\" Copyright (c) 2020 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: September 22 2020 $ 6.Dt FIDO_DEV_ENABLE_ENTATTEST 3 7.Os 8.Sh NAME 9.Nm fido_dev_enable_entattest , 10.Nm fido_dev_toggle_always_uv , 11.Nm fido_dev_force_pin_change , 12.Nm fido_dev_set_pin_minlen , 13.Nm fido_dev_set_pin_minlen_rpid 14.Nd CTAP 2.1 configuration authenticator API 15.Sh SYNOPSIS 16.In fido.h 17.In fido/config.h 18.Ft int 19.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin" 20.Ft int 21.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin" 22.Ft int 23.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin" 24.Ft int 25.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin" 26.Ft int 27.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin" 28.Sh DESCRIPTION 29The functions described in this page allow configuration of a 30CTAP 2.1 authenticator. 31.Pp 32The 33.Fn fido_dev_enable_entattest 34function enables the 35.Em Enterprise Attestation 36feature on 37.Fa dev . 38.Em Enterprise Attestation 39instructs the authenticator to include uniquely identifying 40information in subsequent attestation statements. 41The 42.Fa pin 43parameter may be NULL if 44.Fa dev 45does not have a PIN set. 46.Pp 47The 48.Fn fido_dev_toggle_always_uv 49function toggles the 50.Dq user verification always 51feature on 52.Fa dev . 53When set, this toggle enforces user verification at the 54authenticator level for all known credentials. 55If 56.Fa dev 57supports U2F (CTAP1) and the user verification methods supported by 58the authenticator do not allow protection of U2F credentials, the 59U2F subsystem will be disabled by the authenticator. 60The 61.Fa pin 62parameter may be NULL if 63.Fa dev 64does not have a PIN set. 65.Pp 66The 67.Fn fido_dev_force_pin_change 68instructs 69.Fa dev 70to require a PIN change. 71Subsequent PIN authentication attempts against 72.Fa dev 73will fail until its PIN is changed. 74.Pp 75The 76.Fn fido_dev_set_pin_minlen 77function sets the minimum PIN length of 78.Fa dev 79to 80.Fa len . 81Minimum PIN lengths may only be increased. 82.Pp 83The 84.Fn fido_dev_set_pin_minlen_rpid 85function sets the list of relying party identifiers 86.Pq RP IDs 87that are allowed to obtain the minimum PIN length of 88.Fa dev 89through the CTAP 2.1 90.Dv FIDO_EXT_MINPINLEN 91extension. 92The list of RP identifiers is denoted by 93.Fa rpid , 94a vector of 95.Fa n 96NUL-terminated UTF-8 strings. 97A copy of 98.Fa rpid 99is made, and no reference to it or its contents is kept. 100.Pp 101Configuration settings are reflected in the payload returned by the 102authenticator in response to a 103.Xr fido_dev_get_cbor_info 3 104call. 105.Sh RETURN VALUES 106The error codes returned by 107.Fn fido_dev_enable_entattest , 108.Fn fido_dev_toggle_always_uv , 109.Fn fido_dev_force_pin_change , 110.Fn fido_dev_set_pin_minlen , 111and 112.Fn fido_dev_set_pin_minlen_rpid 113are defined in 114.In fido/err.h . 115On success, 116.Dv FIDO_OK 117is returned. 118.Sh SEE ALSO 119.Xr fido_cred_pin_minlen 3 , 120.Xr fido_dev_get_cbor_info 3 , 121.Xr fido_dev_reset 3 122