diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/CMakeLists.txt | 2 | ||||
| -rwxr-xr-x | man/check.sh | 1 | ||||
| -rw-r--r-- | man/fido2-assert.1 | 6 | ||||
| -rw-r--r-- | man/fido2-cred.1 | 14 | ||||
| -rw-r--r-- | man/fido_cred_new.3 | 10 | ||||
| -rw-r--r-- | man/fido_cred_set_authdata.3 | 20 |
6 files changed, 47 insertions, 6 deletions
diff --git a/man/CMakeLists.txt b/man/CMakeLists.txt index e83a9d713f90..f77c3891f875 100644 --- a/man/CMakeLists.txt +++ b/man/CMakeLists.txt @@ -165,6 +165,7 @@ list(APPEND MAN_ALIAS fido_cred_new fido_cred_clientdata_hash_len fido_cred_new fido_cred_clientdata_hash_ptr fido_cred_new fido_cred_display_name + fido_cred_new fido_cred_entattest fido_cred_new fido_cred_flags fido_cred_new fido_cred_fmt fido_cred_new fido_cred_free @@ -216,6 +217,7 @@ list(APPEND MAN_ALIAS fido_cred_set_authdata fido_cred_set_blob fido_cred_set_authdata fido_cred_set_clientdata fido_cred_set_authdata fido_cred_set_clientdata_hash + fido_cred_set_authdata fido_cred_set_entattest fido_cred_set_authdata fido_cred_set_extensions fido_cred_set_authdata fido_cred_set_fmt fido_cred_set_authdata fido_cred_set_id diff --git a/man/check.sh b/man/check.sh index d969a7afb666..cf978473290e 100755 --- a/man/check.sh +++ b/man/check.sh @@ -10,6 +10,7 @@ find . -maxdepth 1 -type f -name '*.3' -print0 > "$T/files" xargs -0 awk '/^.Sh NAME/,/^.Nd/' < "$T/files" | \ awk '/^.Nm/ { print $2 }' | sort -u > "$T/Nm" +# shellcheck disable=SC2016 xargs -0 awk '/^.Fn/ { print $2 }' < "$T/files" | sort -u > "$T/Fn" (cd "$T" && diff -u Nm Fn) diff --git a/man/fido2-assert.1 b/man/fido2-assert.1 index 882b7ab1feaa..9201acfc473e 100644 --- a/man/fido2-assert.1 +++ b/man/fido2-assert.1 @@ -89,6 +89,8 @@ where may be .Em es256 (denoting ECDSA over NIST P-256 with SHA-256), +.Em es384 +(denoting ECDSA over NIST P-384 with SHA-384), .Em rs256 (denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or .Em eddsa @@ -224,7 +226,7 @@ client data hash (base64 blob); .It relying party id (UTF-8 string); .It -authenticator data (base64 blob); +CBOR encoded authenticator data (base64 blob); .It assertion signature (base64 blob); .El @@ -248,7 +250,7 @@ client data hash (base64 blob); .It relying party id (UTF-8 string); .It -authenticator data (base64 blob); +CBOR encoded authenticator data (base64 blob); .It assertion signature (base64 blob); .It diff --git a/man/fido2-cred.1 b/man/fido2-cred.1 index 3f181db6d135..a7fc00ae9702 100644 --- a/man/fido2-cred.1 +++ b/man/fido2-cred.1 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018-2023 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2024 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -35,6 +35,7 @@ .Nm .Fl M .Op Fl bdhqruvw +.Op Fl a Ar mode .Op Fl c Ar cred_protect .Op Fl i Ar input_file .Op Fl o Ar output_file @@ -56,6 +57,8 @@ A credential may be .Em es256 (denoting ECDSA over NIST P-256 with SHA-256), +.Em es384 +(denoting ECDSA over NIST P-384 with SHA-384), .Em rs256 (denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or .Em eddsa @@ -118,6 +121,11 @@ to verify a credential. Request the credential's .Dq largeBlobKey , a 32-byte symmetric key associated with the generated credential. +.It Fl a Ar mode +When making a credential, request enterprise attestation. +Please refer to +.In fido/param.h +for the set of possible values. .It Fl c Ar cred_protect If making a credential, set the credential's protection level to .Ar cred_protect , @@ -218,7 +226,7 @@ relying party id (UTF-8 string); .It credential format (UTF-8 string); .It -authenticator data (base64 blob); +CBOR encoded authenticator data (base64 blob); .It credential id (base64 blob); .It @@ -248,7 +256,7 @@ relying party id (UTF-8 string); .It credential format (UTF-8 string); .It -authenticator data (base64 blob); +CBOR encoded authenticator data (base64 blob); .It credential id (base64 blob); .It diff --git a/man/fido_cred_new.3 b/man/fido_cred_new.3 index 32ce76840d6a..79eb06a56b3b 100644 --- a/man/fido_cred_new.3 +++ b/man/fido_cred_new.3 @@ -63,6 +63,7 @@ .Nm fido_cred_x5c_list_len , .Nm fido_cred_x5c_len , .Nm fido_cred_attstmt_len , +.Nm fido_cred_entattest , .Nm fido_cred_type , .Nm fido_cred_flags , .Nm fido_cred_sigcount @@ -137,6 +138,8 @@ .Fn fido_cred_x5c_len "const fido_cred_t *cred" .Ft size_t .Fn fido_cred_attstmt_len "const fido_cred_t *cred" +.Ft bool +.Fn fido_cred_entattest "const fido_cred_t *cred" .Ft int .Fn fido_cred_type "const fido_cred_t *cred" .Ft uint8_t @@ -309,6 +312,13 @@ The authenticator data, x509 certificate, and signature parts of a credential are typically passed to a FIDO2 server for verification. .Pp The +.Fn fido_cred_entattest +function returns +.Dv true +if an enterprise attestation was returned for +.Fa cred . +.Pp +The .Fn fido_cred_type function returns the COSE algorithm of .Fa cred . diff --git a/man/fido_cred_set_authdata.3 b/man/fido_cred_set_authdata.3 index ba3507fdffd2..a5898774ee11 100644 --- a/man/fido_cred_set_authdata.3 +++ b/man/fido_cred_set_authdata.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2024 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -40,6 +40,7 @@ .Nm fido_cred_set_clientdata_hash , .Nm fido_cred_set_rp , .Nm fido_cred_set_user , +.Nm fido_cred_set_entattest , .Nm fido_cred_set_extensions , .Nm fido_cred_set_blob , .Nm fido_cred_set_pin_minlen , @@ -81,6 +82,8 @@ typedef enum { .Ft int .Fn fido_cred_set_user "fido_cred_t *cred" "const unsigned char *user_id" "size_t user_id_len" "const char *name" "const char *display_name" "const char *icon" .Ft int +.Fn fido_cred_set_entattest "fido_cred_t *cred" "int ea" +.Ft int .Fn fido_cred_set_extensions "fido_cred_t *cred" "int flags" .Ft int .Fn fido_cred_set_blob "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" @@ -243,6 +246,21 @@ and parameters may be NULL. .Pp The +.Fn fido_cred_set_entattest +function sets the enterprise attestation mode of +.Fa cred +to +.Fa ea . +At the moment, only the +.Dv FIDO_ENTATTEST_VENDOR +and +.Dv FIDO_ENTATTEST_PLATFORM +modes are supported. +By default, or if +.Fa ea +is zero, no enterprise attestation is requested. +.Pp +The .Fn fido_cred_set_extensions function sets the extensions of .Fa cred |