diff options
Diffstat (limited to 'examples/README.adoc')
| -rw-r--r-- | examples/README.adoc | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/examples/README.adoc b/examples/README.adoc new file mode 100644 index 0000000..091c6bc --- /dev/null +++ b/examples/README.adoc | |||
| @@ -0,0 +1,81 @@ | |||
| 1 | = Examples | ||
| 2 | |||
| 3 | === Definitions | ||
| 4 | |||
| 5 | The following definitions are used in the description below: | ||
| 6 | |||
| 7 | - <device> | ||
| 8 | |||
| 9 | The file system path or subsystem-specific identification string of a | ||
| 10 | FIDO device. | ||
| 11 | |||
| 12 | - <pin>, [oldpin] | ||
| 13 | |||
| 14 | Strings passed directly in the executed command's argument vector. | ||
| 15 | |||
| 16 | - <cred_id> | ||
| 17 | |||
| 18 | The file system path of a file containing a FIDO credential ID in | ||
| 19 | binary representation. | ||
| 20 | |||
| 21 | - <pubkey> | ||
| 22 | |||
| 23 | The file system path of a file containing a NIST P-256 public key in | ||
| 24 | PEM format. | ||
| 25 | |||
| 26 | === Description | ||
| 27 | |||
| 28 | The following examples are provided: | ||
| 29 | |||
| 30 | - manifest | ||
| 31 | |||
| 32 | Prints a list of configured FIDO devices. | ||
| 33 | |||
| 34 | - info <device> | ||
| 35 | |||
| 36 | Prints information about <device>. | ||
| 37 | |||
| 38 | - reset <device> | ||
| 39 | |||
| 40 | Performs a factory reset on <device>. | ||
| 41 | |||
| 42 | - setpin <pin> [oldpin] <device> | ||
| 43 | |||
| 44 | Configures <pin> as the new PIN of <device>. If [oldpin] is provided, | ||
| 45 | the device's PIN is changed from [oldpin] to <pin>. | ||
| 46 | |||
| 47 | - cred [-t ecdsa|rsa|eddsa] [-k pubkey] [-ei cred_id] [-P pin] [-T seconds] | ||
| 48 | [-hruv] <device> | ||
| 49 | |||
| 50 | Creates a new credential on <device> and verify that the credential | ||
| 51 | was signed by the authenticator. The device's attestation certificate | ||
| 52 | is not verified. If option -k is specified, the credential's public | ||
| 53 | key is stored in <pubkey>. If option -i is specified, the credential | ||
| 54 | ID is stored in <cred_id>. The -e option may be used to add <cred_id> | ||
| 55 | to the list of excluded credentials. If option -h is specified, | ||
| 56 | the hmac-secret FIDO2 extension is enabled on the generated | ||
| 57 | credential. If option -r is specified, the generated credential | ||
| 58 | will involve a resident key. User verification may be requested | ||
| 59 | through the -v option. If option -u is specified, the credential | ||
| 60 | is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. | ||
| 61 | The -T option may be used to enforce a timeout of <seconds>. | ||
| 62 | |||
| 63 | - assert [-t ecdsa|rsa|eddsa] [-a cred_id] [-h hmac_secret] [-s hmac_salt] | ||
| 64 | [-P pin] [-T seconds] [-puv] <pubkey> <device> | ||
| 65 | |||
| 66 | Asks <device> for a FIDO2 assertion corresponding to [cred_id], | ||
| 67 | which may be omitted for resident keys. The obtained assertion | ||
| 68 | is verified using <pubkey>. The -p option requests that the user | ||
| 69 | be present. User verification may be requested through the -v | ||
| 70 | option. If option -u is specified, the assertion is generated using | ||
| 71 | U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is | ||
| 72 | specified, a FIDO2 hmac-secret is requested from the authenticator, | ||
| 73 | and the contents of <hmac_salt> are used as the salt. If option -h | ||
| 74 | is specified, the resulting hmac-secret is stored in <hmac_secret>. | ||
| 75 | The -T option may be used to enforce a timeout of <seconds>. | ||
| 76 | |||
| 77 | - retries <device> | ||
| 78 | Get the number of PIN attempts left on <device> before lockout. | ||
| 79 | |||
| 80 | Debugging is possible through the use of the FIDO_DEBUG environment variable. | ||
| 81 | If set, libfido2 will produce a log of its transactions with the authenticator. | ||