Sindbad~EG File Manager
<!DOCTYPE html>
<html>
<!-- This is an automatically generated file. Do not edit.
Copyright (c) 2018 Yubico AB. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDX-License-Identifier: BSD-2-Clause
-->
<head>
<meta charset="utf-8"/>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>FIDO2-ASSERT(1)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">FIDO2-ASSERT(1)</td>
<td class="head-vol">FreeBSD General Commands Manual</td>
<td class="head-rtitle">FIDO2-ASSERT(1)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<code class="Nm">fido2-assert</code> —
<div class="Nd">get/verify a FIDO2 assertion</div>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-assert</code></td>
<td><code class="Fl">-G</code> [<code class="Fl">-bdhpruv</code>]
[<code class="Fl">-t</code> <var class="Ar">option</var>]
[<code class="Fl">-i</code> <var class="Ar">input_file</var>]
[<code class="Fl">-o</code> <var class="Ar">output_file</var>]
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-assert</code></td>
<td><code class="Fl">-V</code> [<code class="Fl">-dhpv</code>]
[<code class="Fl">-i</code> <var class="Ar">input_file</var>]
<var class="Ar">key_file</var> [<var class="Ar">type</var>]</td>
</tr>
</table>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<code class="Nm">fido2-assert</code> gets or verifies a FIDO2 assertion.
<p class="Pp">The input of <code class="Nm">fido2-assert</code> is defined by
the parameters of the assertion to be obtained/verified. See the
<a class="Sx" href="#INPUT_FORMAT">INPUT FORMAT</a> section for details.</p>
<p class="Pp">The output of <code class="Nm">fido2-assert</code> is defined by
the result of the selected operation. See the
<a class="Sx" href="#OUTPUT_FORMAT">OUTPUT FORMAT</a> section for
details.</p>
<p class="Pp">If an assertion is successfully obtained or verified,
<code class="Nm">fido2-assert</code> exits 0. Otherwise,
<code class="Nm">fido2-assert</code> exits 1.</p>
<p class="Pp">The options are as follows:</p>
<dl class="Bl-tag">
<dt><a class="permalink" href="#G"><code class="Fl" id="G">-G</code></a></dt>
<dd>Tells <code class="Nm">fido2-assert</code> to obtain a new assertion from
<var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#V"><code class="Fl" id="V">-V</code></a></dt>
<dd>Tells <code class="Nm">fido2-assert</code> to verify an assertion using
the PEM-encoded public key in <var class="Ar">key_file</var> of type
<var class="Ar">type</var>, where <var class="Ar">type</var> may be
<i class="Em">es256</i> (denoting ECDSA over NIST P-256 with SHA-256),
<i class="Em">rs256</i> (denoting 2048-bit RSA with PKCS#1.5 padding and
SHA-256), or <i class="Em">eddsa</i> (denoting EDDSA over Curve25519 with
SHA-512). If <var class="Ar">type</var> is not specified,
<i class="Em">es256</i> is assumed.</dd>
<dt><a class="permalink" href="#b"><code class="Fl" id="b">-b</code></a></dt>
<dd>Request the credential's “largeBlobKey”, a 32-byte symmetric
key associated with the asserted credential.</dd>
<dt><a class="permalink" href="#h"><code class="Fl" id="h">-h</code></a></dt>
<dd>If obtaining an assertion, enable the FIDO2 hmac-secret extension. If
verifying an assertion, check whether the extension data bit was signed by
the authenticator.</dd>
<dt><a class="permalink" href="#d"><code class="Fl" id="d">-d</code></a></dt>
<dd>Causes <code class="Nm">fido2-assert</code> to emit debugging output on
<i class="Em">stderr</i>.</dd>
<dt><a class="permalink" href="#i"><code class="Fl" id="i">-i</code></a>
<var class="Ar">input_file</var></dt>
<dd>Tells <code class="Nm">fido2-assert</code> to read the parameters of the
assertion from <var class="Ar">input_file</var> instead of
<i class="Em">stdin</i>.</dd>
<dt><a class="permalink" href="#o"><code class="Fl" id="o">-o</code></a>
<var class="Ar">output_file</var></dt>
<dd>Tells <code class="Nm">fido2-assert</code> to write output on
<var class="Ar">output_file</var> instead of
<i class="Em">stdout</i>.</dd>
<dt><a class="permalink" href="#p"><code class="Fl" id="p">-p</code></a></dt>
<dd>If obtaining an assertion, request user presence. If verifying an
assertion, check whether the user presence bit was signed by the
authenticator.</dd>
<dt><a class="permalink" href="#r"><code class="Fl" id="r">-r</code></a></dt>
<dd>Obtain an assertion using a resident credential. If
<code class="Fl">-r</code> is specified,
<code class="Nm">fido2-assert</code> will not expect a credential id in
its input, and may output multiple assertions. Resident credentials are
called “discoverable credentials” in CTAP 2.1.</dd>
<dt><a class="permalink" href="#t"><code class="Fl" id="t">-t</code></a>
<var class="Ar">option</var></dt>
<dd>Toggles a key/value <var class="Ar">option</var>, where
<var class="Ar">option</var> is a string of the form
“key=value”. The options supported at present are:
<dl class="Bl-tag">
<dt><a class="permalink" href="#up"><code class="Cm" id="up">up</code></a>=<var class="Ar">true|false</var></dt>
<dd>Asks the authenticator for user presence to be enabled or
disabled.</dd>
<dt><a class="permalink" href="#uv"><code class="Cm" id="uv">uv</code></a>=<var class="Ar">true|false</var></dt>
<dd>Asks the authenticator for user verification to be enabled or
disabled.</dd>
<dt><a class="permalink" href="#pin"><code class="Cm" id="pin">pin</code></a>=<var class="Ar">true|false</var></dt>
<dd>Tells <code class="Nm">fido2-assert</code> whether to prompt for a PIN
and request user verification.</dd>
</dl>
<p class="Pp">The <code class="Fl">-t</code> option may be specified
multiple times.</p>
</dd>
<dt><a class="permalink" href="#u"><code class="Fl" id="u">-u</code></a></dt>
<dd>Obtain an assertion using U2F. By default,
<code class="Nm">fido2-assert</code> will use FIDO2 if supported by the
authenticator, and fallback to U2F otherwise.</dd>
<dt><a class="permalink" href="#v"><code class="Fl" id="v">-v</code></a></dt>
<dd>If obtaining an assertion, prompt the user for a PIN and request user
verification from the authenticator. If verifying an assertion, check
whether the user verification bit was signed by the authenticator.</dd>
</dl>
<p class="Pp">If a <i class="Em">tty</i> is available,
<code class="Nm">fido2-assert</code> will use it to obtain the PIN.
Otherwise, <i class="Em">stdin</i> is used.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="INPUT_FORMAT"><a class="permalink" href="#INPUT_FORMAT">INPUT
FORMAT</a></h1>
The input of <code class="Nm">fido2-assert</code> consists of base64 blobs and
UTF-8 strings separated by newline characters ('\n').
<p class="Pp">When obtaining an assertion, <code class="Nm">fido2-assert</code>
expects its input to consist of:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>credential id, if credential not resident (base64 blob);</li>
<li>hmac salt, if the FIDO2 hmac-secret extension is enabled (base64
blob);</li>
</ol>
<p class="Pp">When verifying an assertion, <code class="Nm">fido2-assert</code>
expects its input to consist of:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>authenticator data (base64 blob);</li>
<li>assertion signature (base64 blob);</li>
</ol>
<p class="Pp">UTF-8 strings passed to <code class="Nm">fido2-assert</code> must
not contain embedded newline or NUL characters.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="OUTPUT_FORMAT"><a class="permalink" href="#OUTPUT_FORMAT">OUTPUT
FORMAT</a></h1>
The output of <code class="Nm">fido2-assert</code> consists of base64 blobs and
UTF-8 strings separated by newline characters ('\n').
<p class="Pp">For each generated assertion, <code class="Nm">fido2-assert</code>
outputs:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>authenticator data (base64 blob);</li>
<li>assertion signature (base64 blob);</li>
<li>user id, if credential resident (base64 blob);</li>
<li>hmac secret, if the FIDO2 hmac-secret extension is enabled (base64
blob);</li>
<li>the credential's associated 32-byte symmetric key
(“largeBlobKey”), if requested (base64 blob).</li>
</ol>
<p class="Pp">When verifying an assertion, <code class="Nm">fido2-assert</code>
produces no output.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1>
Assuming <span class="Pa">cred</span> contains a <i class="Em">es256</i>
credential created according to the steps outlined in
<a class="Xr" href="fido2-cred.html">fido2-cred(1)</a>, obtain an assertion
from an authenticator at <span class="Pa">/dev/hidraw5</span> and verify it:
<p class="Pp"></p>
<div class="Bd Bd-indent"><code class="Li">$ echo assertion challenge | openssl
sha256 -binary | base64 > assert_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ echo relying party >>
assert_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ head -1 cred >>
assert_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ tail -n +2 cred >
pubkey</code></div>
<div class="Bd Bd-indent"><code class="Li">$ fido2-assert -G -i assert_param
/dev/hidraw5 | fido2-assert -V pubkey es256</code></div>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<a class="Xr" href="fido2-cred.html">fido2-cred(1)</a>,
<a class="Xr" href="fido2-token.html">fido2-token(1)</a>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">November 5, 2019</td>
<td class="foot-os">Yubico AB</td>
</tr>
</table>
</body>
</html>
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists