1 files changed, 158 insertions, 0 deletions
diff --git a/man/fido2-token.1 b/man/fido2-token.1
new file mode 100644
index 0000000..d5a5734
--- /dev/null
+++ b/man/fido2-token.1
@@ -0,0 +1,158 @@
+.\" Copyright (c) 2018 Yubico AB. All rights reserved.
+.\" Use of this source code is governed by a BSD-style
+.\" license that can be found in the LICENSE file.
+.\"
+.Dd $Mdocdate: September 13 2019 $
+.Dt FIDO2-TOKEN 1
+.Os
+.Sh NAME
+.Nm fido2-token
+.Nd find and manage a FIDO 2 authenticator
+.Sh SYNOPSIS
+.Nm
+.Op Fl CR
+.Op Fl d
+.Ar device
+.Nm
+.Fl D
+.Op Fl de
+.Fl i
+.Ar id
+.Ar device
+.Nm
+.Fl I
+.Op Fl cd
+.Op Fl k Ar rp_id Fl i Ar cred_id
+.Ar device
+.Nm
+.Fl L
+.Op Fl der
+.Op Fl k Ar rp_id
+.Op device
+.Nm
+.Fl S
+.Op Fl de
+.Op Fl i Ar template_id Fl n Ar template_name
+.Ar device
+.Nm
+.Fl V
+.Sh DESCRIPTION
+.Nm
+manages a FIDO 2 authenticator.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl C Ar device
+Changes the PIN of
+.Ar device .
+The user will be prompted for the current and new PINs.
+.It Fl D Fl i Ar id Ar device
+Deletes the resident credential specified by
+.Ar id
+from
+.Ar device ,
+where
+.Ar id
+is the credential's base64-encoded id.
+The user will be prompted for the PIN.
+.It Fl D Fl e Fl i Ar id Ar device
+Deletes the biometric enrollment specified by
+.Ar id
+from
+.Ar device ,
+where
+.Ar id
+is the enrollment's template base64-encoded id.
+The user will be prompted for the PIN.
+.It Fl I Ar device
+Retrieves information on
+.Ar device .
+.It Fl I Fl c Ar device
+Retrieves resident credential metadata from
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device
+Prints the credential id (base64-encoded) and public key
+(PEM encoded) of the resident credential specified by
+.Ar rp_id
+and
+.Ar cred_id ,
+where
+.Ar rp_id
+is a UTF-8 relying party id, and
+.Ar cred_id
+is a base64-encoded credential id.
+The user will be prompted for the PIN.
+.It Fl L
+Produces a list of authenticators found by the operating system.
+.It Fl L Fl e Ar device
+Produces a list of biometric enrollments on
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl L Fl r Ar device
+Produces a list of relying parties with resident credentials on
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl L Fl k Ar rp_id Ar device
+Produces a list of resident credentials corresponding to
+relying party
+.Ar rp_id
+on
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl R
+Performs a reset on
+.Ar device .
+.Nm
+will NOT prompt for confirmation.
+.It Fl S
+Sets the PIN of
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl S Fl e Ar device
+Performs a new biometric enrollment on
+.Ar device .
+The user will be prompted for the PIN.
+.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device
+Sets the friendly name of the biometric enrollment specified by
+.Ar template_id
+to
+.Ar template_name
+on
+.Ar device ,
+where
+.Ar template_id
+is base64-encoded and
+.Ar template_name
+is a UTF-8 string.
+The user will be prompted for the PIN.
+.It Fl V
+Prints version information.
+.It Fl d
+Causes
+.Nm
+to emit debugging output on
+.Em stderr .
+.El
+.Pp
+If a
+.Em tty
+is available,
+.Nm
+will use it to prompt for PINs.
+Otherwise,
+.Em stdin
+is used.
+.Pp
+.Nm
+exits 0 on success and 1 on error.
+.Sh SEE ALSO
+.Xr fido2-assert 1 ,
+.Xr fido2-cred 1
+.Sh CAVEATS
+The actual user-flow to perform a reset is outside the scope of the
+FIDO2 specification, and may therefore vary depending on the
+authenticator.
+Yubico authenticators do not allow resets after 5 seconds from
+power-up, and expect a reset to be confirmed by the user through
+touch within 30 seconds.

diff --git a/man/fido2-token.1 b/man/fido2-token.1 new file mode 100644 index 0000000..d5a5734 --- /dev/null +++ b/man/fido2-token.1
@@ -0,0 +1,158 @@
	1	.\" Copyright (c) 2018 Yubico AB. All rights reserved.
	2	.\" Use of this source code is governed by a BSD-style
	3	.\" license that can be found in the LICENSE file.
	4	.\"
	5	.Dd $Mdocdate: September 13 2019 $
	6	.Dt FIDO2-TOKEN 1
	7	.Os
	8	.Sh NAME
	9	.Nm fido2-token
	10	.Nd find and manage a FIDO 2 authenticator
	11	.Sh SYNOPSIS
	12	.Nm
	13	.Op Fl CR
	14	.Op Fl d
	15	.Ar device
	16	.Nm
	17	.Fl D
	18	.Op Fl de
	19	.Fl i
	20	.Ar id
	21	.Ar device
	22	.Nm
	23	.Fl I
	24	.Op Fl cd
	25	.Op Fl k Ar rp_id Fl i Ar cred_id
	26	.Ar device
	27	.Nm
	28	.Fl L
	29	.Op Fl der
	30	.Op Fl k Ar rp_id
	31	.Op device
	32	.Nm
	33	.Fl S
	34	.Op Fl de
	35	.Op Fl i Ar template_id Fl n Ar template_name
	36	.Ar device
	37	.Nm
	38	.Fl V
	39	.Sh DESCRIPTION
	40	.Nm
	41	manages a FIDO 2 authenticator.
	42	.Pp
	43	The options are as follows:
	44	.Bl -tag -width Ds
	45	.It Fl C Ar device
	46	Changes the PIN of
	47	.Ar device .
	48	The user will be prompted for the current and new PINs.
	49	.It Fl D Fl i Ar id Ar device
	50	Deletes the resident credential specified by
	51	.Ar id
	52	from
	53	.Ar device ,
	54	where
	55	.Ar id
	56	is the credential's base64-encoded id.
	57	The user will be prompted for the PIN.
	58	.It Fl D Fl e Fl i Ar id Ar device
	59	Deletes the biometric enrollment specified by
	60	.Ar id
	61	from
	62	.Ar device ,
	63	where
	64	.Ar id
	65	is the enrollment's template base64-encoded id.
	66	The user will be prompted for the PIN.
	67	.It Fl I Ar device
	68	Retrieves information on
	69	.Ar device .
	70	.It Fl I Fl c Ar device
	71	Retrieves resident credential metadata from
	72	.Ar device .
	73	The user will be prompted for the PIN.
	74	.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device
	75	Prints the credential id (base64-encoded) and public key
	76	(PEM encoded) of the resident credential specified by
	77	.Ar rp_id
	78	and
	79	.Ar cred_id ,
	80	where
	81	.Ar rp_id
	82	is a UTF-8 relying party id, and
	83	.Ar cred_id
	84	is a base64-encoded credential id.
	85	The user will be prompted for the PIN.
	86	.It Fl L
	87	Produces a list of authenticators found by the operating system.
	88	.It Fl L Fl e Ar device
	89	Produces a list of biometric enrollments on
	90	.Ar device .
	91	The user will be prompted for the PIN.
	92	.It Fl L Fl r Ar device
	93	Produces a list of relying parties with resident credentials on
	94	.Ar device .
	95	The user will be prompted for the PIN.
	96	.It Fl L Fl k Ar rp_id Ar device
	97	Produces a list of resident credentials corresponding to
	98	relying party
	99	.Ar rp_id
	100	on
	101	.Ar device .
	102	The user will be prompted for the PIN.
	103	.It Fl R
	104	Performs a reset on
	105	.Ar device .
	106	.Nm
	107	will NOT prompt for confirmation.
	108	.It Fl S
	109	Sets the PIN of
	110	.Ar device .
	111	The user will be prompted for the PIN.
	112	.It Fl S Fl e Ar device
	113	Performs a new biometric enrollment on
	114	.Ar device .
	115	The user will be prompted for the PIN.
	116	.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device
	117	Sets the friendly name of the biometric enrollment specified by
	118	.Ar template_id
	119	to
	120	.Ar template_name
	121	on
	122	.Ar device ,
	123	where
	124	.Ar template_id
	125	is base64-encoded and
	126	.Ar template_name
	127	is a UTF-8 string.
	128	The user will be prompted for the PIN.
	129	.It Fl V
	130	Prints version information.
	131	.It Fl d
	132	Causes
	133	.Nm
	134	to emit debugging output on
	135	.Em stderr .
	136	.El
	137	.Pp
	138	If a
	139	.Em tty
	140	is available,
	141	.Nm
	142	will use it to prompt for PINs.
	143	Otherwise,
	144	.Em stdin
	145	is used.
	146	.Pp
	147	.Nm
	148	exits 0 on success and 1 on error.
	149	.Sh SEE ALSO
	150	.Xr fido2-assert 1 ,
	151	.Xr fido2-cred 1
	152	.Sh CAVEATS
	153	The actual user-flow to perform a reset is outside the scope of the
	154	FIDO2 specification, and may therefore vary depending on the
	155	authenticator.
	156	Yubico authenticators do not allow resets after 5 seconds from
	157	power-up, and expect a reset to be confirmed by the user through
	158	touch within 30 seconds.