diff options
Diffstat (limited to 'lib/libfido2/man/fido_cred_verify.3')
-rw-r--r-- | lib/libfido2/man/fido_cred_verify.3 | 58 |
1 files changed, 40 insertions, 18 deletions
diff --git a/lib/libfido2/man/fido_cred_verify.3 b/lib/libfido2/man/fido_cred_verify.3 index 47c14948e94..9db299e64cf 100644 --- a/lib/libfido2/man/fido_cred_verify.3 +++ b/lib/libfido2/man/fido_cred_verify.3 @@ -1,36 +1,41 @@ -.\" Copyright (c) 2018 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. .\" Use of this source code is governed by a BSD-style .\" license that can be found in the LICENSE file. .\" -.Dd $Mdocdate: October 26 2021 $ +.Dd $Mdocdate: August 29 2022 $ .Dt FIDO_CRED_VERIFY 3 .Os .Sh NAME -.Nm fido_cred_verify -.Nd verifies the attestation signature of a FIDO 2 credential +.Nm fido_cred_verify , +.Nm fido_cred_verify_self +.Nd verify the attestation signature of a FIDO2 credential .Sh SYNOPSIS .In fido.h .Ft int .Fn fido_cred_verify "const fido_cred_t *cred" +.Ft int +.Fn fido_cred_verify_self "const fido_cred_t *cred" .Sh DESCRIPTION The .Fn fido_cred_verify -function verifies whether the attestation signature contained in +and +.Fn fido_cred_verify_self +functions verify whether the attestation signature contained in .Fa cred matches the attributes of the credential. Before using .Fn fido_cred_verify +or +.Fn fido_cred_verify_self in a sensitive context, the reader is strongly encouraged to make -herself familiar with the FIDO 2 credential attestation process +herself familiar with the FIDO2 credential attestation process as defined in the Web Authentication (webauthn) standard. .Pp -A brief description follows: -.Pp The .Fn fido_cred_verify function verifies whether the client data hash, relying party ID, -credential ID, type, and resident/discoverable key and user verification -attributes of +credential ID, type, protection policy, minimum PIN length, and +resident/discoverable key and user verification attributes of .Fa cred have been attested by the holder of the private counterpart of the public key contained in the credential's x509 certificate. @@ -40,27 +45,44 @@ Please note that the x509 certificate itself is not verified. The attestation statement formats supported by .Fn fido_cred_verify are -.Em packed +.Em packed , +.Em fido-u2f , and -.Em fido-u2f . +.Em tpm . The attestation type implemented by .Fn fido_cred_verify is .Em Basic Attestation . -The attestation key pair is assumed to be of the type ES256. +.Pp +The +.Fn fido_cred_verify_self +function verifies whether the client data hash, relying party ID, +credential ID, type, protection policy, minimum PIN length, and +resident/discoverable key and user verification attributes of +.Fa cred +have been attested by the holder of the credential's private key. +.Pp +The attestation statement formats supported by +.Fn fido_cred_verify_self +are +.Em packed +and +.Em fido-u2f . +The attestation type implemented by +.Fn fido_cred_verify_self +is +.Em Self Attestation . +.Pp Other attestation formats and types are not supported. .Sh RETURN VALUES The error codes returned by .Fn fido_cred_verify +and +.Fn fido_cred_verify_self are defined in .In fido/err.h . If .Fa cred -does not contain attestation data, then -.Dv FIDO_ERR_INVALID_ARGUMENT -is returned. -If -.Fa cred passes verification, then .Dv FIDO_OK is returned. |