diff options
Diffstat (limited to 'examples/README.adoc')
-rw-r--r-- | examples/README.adoc | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/examples/README.adoc b/examples/README.adoc new file mode 100644 index 0000000..091c6bc --- /dev/null +++ b/examples/README.adoc | |||
@@ -0,0 +1,81 @@ | |||
1 | = Examples | ||
2 | |||
3 | === Definitions | ||
4 | |||
5 | The following definitions are used in the description below: | ||
6 | |||
7 | - <device> | ||
8 | |||
9 | The file system path or subsystem-specific identification string of a | ||
10 | FIDO device. | ||
11 | |||
12 | - <pin>, [oldpin] | ||
13 | |||
14 | Strings passed directly in the executed command's argument vector. | ||
15 | |||
16 | - <cred_id> | ||
17 | |||
18 | The file system path of a file containing a FIDO credential ID in | ||
19 | binary representation. | ||
20 | |||
21 | - <pubkey> | ||
22 | |||
23 | The file system path of a file containing a NIST P-256 public key in | ||
24 | PEM format. | ||
25 | |||
26 | === Description | ||
27 | |||
28 | The following examples are provided: | ||
29 | |||
30 | - manifest | ||
31 | |||
32 | Prints a list of configured FIDO devices. | ||
33 | |||
34 | - info <device> | ||
35 | |||
36 | Prints information about <device>. | ||
37 | |||
38 | - reset <device> | ||
39 | |||
40 | Performs a factory reset on <device>. | ||
41 | |||
42 | - setpin <pin> [oldpin] <device> | ||
43 | |||
44 | Configures <pin> as the new PIN of <device>. If [oldpin] is provided, | ||
45 | the device's PIN is changed from [oldpin] to <pin>. | ||
46 | |||
47 | - cred [-t ecdsa|rsa|eddsa] [-k pubkey] [-ei cred_id] [-P pin] [-T seconds] | ||
48 | [-hruv] <device> | ||
49 | |||
50 | Creates a new credential on <device> and verify that the credential | ||
51 | was signed by the authenticator. The device's attestation certificate | ||
52 | is not verified. If option -k is specified, the credential's public | ||
53 | key is stored in <pubkey>. If option -i is specified, the credential | ||
54 | ID is stored in <cred_id>. The -e option may be used to add <cred_id> | ||
55 | to the list of excluded credentials. If option -h is specified, | ||
56 | the hmac-secret FIDO2 extension is enabled on the generated | ||
57 | credential. If option -r is specified, the generated credential | ||
58 | will involve a resident key. User verification may be requested | ||
59 | through the -v option. If option -u is specified, the credential | ||
60 | is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. | ||
61 | The -T option may be used to enforce a timeout of <seconds>. | ||
62 | |||
63 | - assert [-t ecdsa|rsa|eddsa] [-a cred_id] [-h hmac_secret] [-s hmac_salt] | ||
64 | [-P pin] [-T seconds] [-puv] <pubkey> <device> | ||
65 | |||
66 | Asks <device> for a FIDO2 assertion corresponding to [cred_id], | ||
67 | which may be omitted for resident keys. The obtained assertion | ||
68 | is verified using <pubkey>. The -p option requests that the user | ||
69 | be present. User verification may be requested through the -v | ||
70 | option. If option -u is specified, the assertion is generated using | ||
71 | U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is | ||
72 | specified, a FIDO2 hmac-secret is requested from the authenticator, | ||
73 | and the contents of <hmac_salt> are used as the salt. If option -h | ||
74 | is specified, the resulting hmac-secret is stored in <hmac_secret>. | ||
75 | The -T option may be used to enforce a timeout of <seconds>. | ||
76 | |||
77 | - retries <device> | ||
78 | Get the number of PIN attempts left on <device> before lockout. | ||
79 | |||
80 | Debugging is possible through the use of the FIDO_DEBUG environment variable. | ||
81 | If set, libfido2 will produce a log of its transactions with the authenticator. | ||