fido_dev_enable_entattest(3) - NetBSD Manual Pages

FIDO_DEV_ENABLE_ENTA... NetBSD Library Functions ManualFIDO_DEV_ENABLE_ENTA...


NAME

     fido_dev_enable_entattest, fido_dev_toggle_always_uv,
     fido_dev_force_pin_change, fido_dev_set_pin_minlen,
     fido_dev_set_pin_minlen_rpid -- CTAP 2.1 configuration authenticator API


SYNOPSIS

     #include <fido.h>
     #include <fido/config.h>

     int
     fido_dev_enable_entattest(fido_dev_t *dev, const char *pin);

     int
     fido_dev_toggle_always_uv(fido_dev_t *dev, const char *pin);

     int
     fido_dev_force_pin_change(fido_dev_t *dev, const char *pin);

     int
     fido_dev_set_pin_minlen(fido_dev_t *dev, size_t len, const char *pin);

     int
     fido_dev_set_pin_minlen_rpid(fido_dev_t *dev, const char * const *rpid,
         size_t n, const char *pin);


DESCRIPTION

     The functions described in this page allow configuration of a CTAP 2.1
     authenticator.

     The fido_dev_enable_entattest() function enables the Enterprise
     Attestation feature on dev.  Enterprise Attestation instructs the authen-
     ticator to include uniquely identifying information in subsequent attes-
     tation statements.  The pin parameter may be NULL if dev does not have a
     PIN set.

     The fido_dev_toggle_always_uv() function toggles the ``user verification
     always'' feature on dev.  When set, this toggle enforces user verifica-
     tion at the authenticator level for all known credentials.  If dev sup-
     ports U2F (CTAP1) and the user verification methods supported by the
     authenticator do not allow protection of U2F credentials, the U2F subsys-
     tem will be disabled by the authenticator.  The pin parameter may be NULL
     if dev does not have a PIN set.

     The fido_dev_force_pin_change() function instructs dev to require a PIN
     change.  Subsequent PIN authentication attempts against dev will fail
     until its PIN is changed.

     The fido_dev_set_pin_minlen() function sets the minimum PIN length of dev
     to len.  Minimum PIN lengths may only be increased.

     The fido_dev_set_pin_minlen_rpid() function sets the list of relying
     party identifiers (RP IDs) that are allowed to obtain the minimum PIN
     length of dev through the CTAP 2.1 FIDO_EXT_MINPINLEN extension.  The
     list of RP identifiers is denoted by rpid, a vector of n NUL-terminated
     UTF-8 strings.  A copy of rpid is made, and no reference to it or its
     contents is kept.  The maximum value of n supported by the authenticator
     can be obtained using fido_cbor_info_maxrpid_minpinlen(3).

     Configuration settings are reflected in the payload returned by the
     authenticator in response to a fido_dev_get_cbor_info(3) call.


RETURN VALUES

     The error codes returned by fido_dev_enable_entattest(),
     fido_dev_toggle_always_uv(), fido_dev_force_pin_change(),
     fido_dev_set_pin_minlen(), and fido_dev_set_pin_minlen_rpid() are defined
     in <fido/err.h>.  On success, FIDO_OK is returned.


SEE ALSO

     fido_cbor_info_maxrpid_minpinlen(3), fido_cred_pin_minlen(3),
     fido_dev_get_cbor_info(3), fido_dev_reset(3)

NetBSD 10.99                   January 13, 2025                   NetBSD 10.99

Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.