diff options
Diffstat (limited to 'man/fido2-assert.1')
-rw-r--r-- | man/fido2-assert.1 | 220 |
1 files changed, 220 insertions, 0 deletions
diff --git a/man/fido2-assert.1 b/man/fido2-assert.1 new file mode 100644 index 0000000..67883e2 --- /dev/null +++ b/man/fido2-assert.1 | |||
@@ -0,0 +1,220 @@ | |||
1 | .\" Copyright (c) 2018 Yubico AB. All rights reserved. | ||
2 | .\" Use of this source code is governed by a BSD-style | ||
3 | .\" license that can be found in the LICENSE file. | ||
4 | .\" | ||
5 | .Dd $Mdocdate: November 5 2019 $ | ||
6 | .Dt FIDO2-ASSERT 1 | ||
7 | .Os | ||
8 | .Sh NAME | ||
9 | .Nm fido2-assert | ||
10 | .Nd get/verify a FIDO 2 assertion | ||
11 | .Sh SYNOPSIS | ||
12 | .Nm | ||
13 | .Fl G | ||
14 | .Op Fl dhpruv | ||
15 | .Op Fl i Ar input_file | ||
16 | .Op Fl o Ar output_file | ||
17 | .Ar device | ||
18 | .Nm | ||
19 | .Fl V | ||
20 | .Op Fl dhpv | ||
21 | .Op Fl i Ar input_file | ||
22 | .Ar key_file | ||
23 | .Op Ar type | ||
24 | .Sh DESCRIPTION | ||
25 | .Nm | ||
26 | gets or verifies a FIDO 2 assertion. | ||
27 | .Pp | ||
28 | The input of | ||
29 | .Nm | ||
30 | is defined by the parameters of the assertion to be obtained/verified. | ||
31 | See the | ||
32 | .Sx INPUT FORMAT | ||
33 | section for details. | ||
34 | .Pp | ||
35 | The output of | ||
36 | .Nm | ||
37 | is defined by the result of the selected operation. | ||
38 | See the | ||
39 | .Sx OUTPUT FORMAT | ||
40 | section for details. | ||
41 | .Pp | ||
42 | If an assertion is successfully obtained or verified, | ||
43 | .Nm | ||
44 | exits 0. | ||
45 | Otherwise, | ||
46 | .Nm | ||
47 | exits 1. | ||
48 | .Pp | ||
49 | The options are as follows: | ||
50 | .Bl -tag -width Ds | ||
51 | .It Fl G | ||
52 | Tells | ||
53 | .Nm | ||
54 | to obtain a new assertion from | ||
55 | .Ar device . | ||
56 | .It Fl V | ||
57 | Tells | ||
58 | .Nm | ||
59 | to verify an assertion using the PEM-encoded public key in | ||
60 | .Ar key_file | ||
61 | of type | ||
62 | .Ar type , | ||
63 | where | ||
64 | .Ar type | ||
65 | may be | ||
66 | .Em es256 | ||
67 | (denoting ECDSA over NIST P-256 with SHA-256), | ||
68 | .Em rs256 | ||
69 | (denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or | ||
70 | .Em eddsa | ||
71 | (denoting EDDSA over Curve25519 with SHA-512). | ||
72 | If | ||
73 | .Ar type | ||
74 | is not specified, | ||
75 | .Em es256 | ||
76 | is assumed. | ||
77 | .It Fl h | ||
78 | If obtaining an assertion, enable the FIDO2 hmac-secret | ||
79 | extension. | ||
80 | If verifying an assertion, check whether the extension data bit was | ||
81 | signed by the authenticator. | ||
82 | .It Fl d | ||
83 | Causes | ||
84 | .Nm | ||
85 | to emit debugging output on | ||
86 | .Em stderr . | ||
87 | .It Fl i Ar input_file | ||
88 | Tells | ||
89 | .Nm | ||
90 | to read the parameters of the assertion from | ||
91 | .Ar input_file | ||
92 | instead of | ||
93 | .Em stdin . | ||
94 | .It Fl o Ar output_file | ||
95 | Tells | ||
96 | .Nm | ||
97 | to write output on | ||
98 | .Ar output_file | ||
99 | instead of | ||
100 | .Em stdout . | ||
101 | .It Fl p | ||
102 | If obtaining an assertion, request user presence. | ||
103 | If verifying an assertion, check whether the user presence bit was | ||
104 | signed by the authenticator. | ||
105 | .It Fl r | ||
106 | Obtain an assertion using a resident credential. | ||
107 | If | ||
108 | .Fl r | ||
109 | is specified, | ||
110 | .Nm | ||
111 | will not expect a credential id in its input, and may output | ||
112 | multiple assertions. | ||
113 | .It Fl u | ||
114 | Obtain an assertion using U2F. | ||
115 | By default, | ||
116 | .Nm | ||
117 | will use FIDO2 if supported by the authenticator, and fallback to | ||
118 | U2F otherwise. | ||
119 | .It Fl v | ||
120 | If obtaining an assertion, prompt the user for a PIN and request | ||
121 | user verification from the authenticator. | ||
122 | If a | ||
123 | .Em tty | ||
124 | is available, | ||
125 | .Nm | ||
126 | will use it to obtain the PIN. | ||
127 | Otherwise, | ||
128 | .Em stdin | ||
129 | is used. | ||
130 | If verifying an assertion, check whether the user verification bit | ||
131 | was signed by the authenticator. | ||
132 | .El | ||
133 | .Sh INPUT FORMAT | ||
134 | The input of | ||
135 | .Nm | ||
136 | consists of base64 blobs and UTF-8 strings separated | ||
137 | by newline characters ('\\n'). | ||
138 | .Pp | ||
139 | When obtaining an assertion, | ||
140 | .Nm | ||
141 | expects its input to consist of: | ||
142 | .Pp | ||
143 | .Bl -enum -offset indent -compact | ||
144 | .It | ||
145 | client data hash (base64 blob); | ||
146 | .It | ||
147 | relying party id (UTF-8 string); | ||
148 | .It | ||
149 | credential id, if credential not resident (base64 blob); | ||
150 | .It | ||
151 | hmac salt, if the FIDO2 hmac-secret extension is enabled | ||
152 | (base64 blob); | ||
153 | .El | ||
154 | .Pp | ||
155 | When verifying an assertion, | ||
156 | .Nm | ||
157 | expects its input to consist of: | ||
158 | .Pp | ||
159 | .Bl -enum -offset indent -compact | ||
160 | .It | ||
161 | client data hash (base64 blob); | ||
162 | .It | ||
163 | relying party id (UTF-8 string); | ||
164 | .It | ||
165 | authenticator data (base64 blob); | ||
166 | .It | ||
167 | assertion signature (base64 blob); | ||
168 | .El | ||
169 | .Pp | ||
170 | UTF-8 strings passed to | ||
171 | .Nm | ||
172 | must not contain embedded newline or NUL characters. | ||
173 | .Sh OUTPUT FORMAT | ||
174 | The output of | ||
175 | .Nm | ||
176 | consists of base64 blobs and UTF-8 strings separated | ||
177 | by newline characters ('\\n'). | ||
178 | .Pp | ||
179 | For each generated assertion, | ||
180 | .Nm | ||
181 | outputs: | ||
182 | .Pp | ||
183 | .Bl -enum -offset indent -compact | ||
184 | .It | ||
185 | client data hash (base64 blob); | ||
186 | .It | ||
187 | relying party id (UTF-8 string); | ||
188 | .It | ||
189 | authenticator data (base64 blob); | ||
190 | .It | ||
191 | assertion signature (base64 blob); | ||
192 | .It | ||
193 | user id, if credential resident (base64 blob); | ||
194 | .It | ||
195 | hmac secret, if the FIDO2 hmac-secret extension is enabled | ||
196 | (base64 blob); | ||
197 | .El | ||
198 | .Pp | ||
199 | When verifying an assertion, | ||
200 | .Nm | ||
201 | produces no output. | ||
202 | .Sh EXAMPLES | ||
203 | Assuming | ||
204 | .Pa cred | ||
205 | contains a | ||
206 | .Em es256 | ||
207 | credential created according to the steps outlined in | ||
208 | .Xr fido2-cred 1 , | ||
209 | obtain an assertion from an authenticator at | ||
210 | .Pa /dev/hidraw5 | ||
211 | and verify it: | ||
212 | .Pp | ||
213 | .Dl $ echo assertion challenge | openssl sha256 -binary | base64 > assert_param | ||
214 | .Dl $ echo relying party >> assert_param | ||
215 | .Dl $ head -1 cred >> assert_param | ||
216 | .Dl $ tail -n +2 cred > pubkey | ||
217 | .Dl $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey es256 | ||
218 | .Sh SEE ALSO | ||
219 | .Xr fido2-cred 1 , | ||
220 | .Xr fido2-token 1 | ||