summaryrefslogtreecommitdiff
path: root/examples/README.adoc
blob: 091c6bc50ca26fea4c3aa81c841f1e9888560f00 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
= Examples

=== Definitions

The following definitions are used in the description below:

- <device>

	The file system path or subsystem-specific identification string of a
	FIDO device.

- <pin>, [oldpin]

	Strings passed directly in the executed command's argument vector.

- <cred_id>

	The file system path of a file containing a FIDO credential ID in
	binary representation.

- <pubkey>

	The file system path of a file containing a NIST P-256 public key in
	PEM format.

=== Description

The following examples are provided:

- manifest

	Prints a list of configured FIDO devices.

- info <device>

	Prints information about <device>.

- reset <device>

	Performs a factory reset on <device>.

- setpin <pin> [oldpin] <device>

	Configures <pin> as the new PIN of <device>. If [oldpin] is provided,
	the device's PIN is changed from [oldpin] to <pin>.

- cred [-t ecdsa|rsa|eddsa] [-k pubkey] [-ei cred_id] [-P pin] [-T seconds]
       [-hruv] <device>

	Creates a new credential on <device> and verify that the credential
	was signed by the authenticator. The device's attestation certificate
	is not verified. If option -k is specified, the credential's public
	key is stored in <pubkey>. If option -i is specified, the credential
	ID is stored in <cred_id>. The -e option may be used to add <cred_id>
	to the list of excluded credentials. If option -h is specified,
	the hmac-secret FIDO2 extension is enabled on the generated
	credential. If option -r is specified, the generated credential
	will involve a resident key. User verification may be requested
	through the -v option. If option -u is specified, the credential
	is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands.
	The -T option may be used to enforce a timeout of <seconds>.

- assert [-t ecdsa|rsa|eddsa] [-a cred_id] [-h hmac_secret] [-s hmac_salt]
	 [-P pin] [-T seconds] [-puv] <pubkey> <device>

	Asks <device> for a FIDO2 assertion corresponding to [cred_id],
	which may be omitted for resident keys. The obtained assertion
	is verified using <pubkey>. The -p option requests that the user
	be present.  User verification may be requested through the -v
	option. If option -u is specified, the assertion is generated using
	U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is
	specified, a FIDO2 hmac-secret is requested from the authenticator,
	and the contents of <hmac_salt> are used as the salt. If option -h
	is specified, the resulting hmac-secret is stored in <hmac_secret>.
	The -T option may be used to enforce a timeout of <seconds>.

- retries <device>
	Get the number of PIN attempts left on <device> before lockout.

Debugging is possible through the use of the FIDO_DEBUG environment variable.
If set, libfido2 will produce a log of its transactions with the authenticator.