Sindbad~EG File Manager
<!DOCTYPE html>
<html>
<!-- This is an automatically generated file. Do not edit.
Copyright (c) 2018 Yubico AB. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDX-License-Identifier: BSD-2-Clause
-->
<head>
<meta charset="utf-8"/>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>FIDO2-CRED(1)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">FIDO2-CRED(1)</td>
<td class="head-vol">FreeBSD General Commands Manual</td>
<td class="head-rtitle">FIDO2-CRED(1)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<code class="Nm">fido2-cred</code> —
<div class="Nd">make/verify a FIDO2 credential</div>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-cred</code></td>
<td><code class="Fl">-M</code> [<code class="Fl">-bdhqruv</code>]
[<code class="Fl">-c</code> <var class="Ar">cred_protect</var>]
[<code class="Fl">-i</code> <var class="Ar">input_file</var>]
[<code class="Fl">-o</code> <var class="Ar">output_file</var>]
<var class="Ar">device</var> [<var class="Ar">type</var>]</td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-cred</code></td>
<td><code class="Fl">-V</code> [<code class="Fl">-dhv</code>]
[<code class="Fl">-c</code> <var class="Ar">cred_protect</var>]
[<code class="Fl">-i</code> <var class="Ar">input_file</var>]
[<code class="Fl">-o</code> <var class="Ar">output_file</var>]
[<var class="Ar">type</var>]</td>
</tr>
</table>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<code class="Nm">fido2-cred</code> makes or verifies a FIDO2 credential.
<p class="Pp">A credential <var class="Ar">type</var> may be
<i class="Em">es256</i> (denoting ECDSA over NIST P-256 with SHA-256),
<i class="Em">rs256</i> (denoting 2048-bit RSA with PKCS#1.5 padding and
SHA-256), or <i class="Em">eddsa</i> (denoting EDDSA over Curve25519 with
SHA-512). If <var class="Ar">type</var> is not specified,
<i class="Em">es256</i> is assumed.</p>
<p class="Pp">When making a credential, the authenticator may require the user
to authenticate with a PIN. If the <code class="Fl">-q</code> option is not
specified, <code class="Nm">fido2-cred</code> will prompt the user for the
PIN. If a <i class="Em">tty</i> is available,
<code class="Nm">fido2-cred</code> will use it to obtain the PIN. Otherwise,
<i class="Em">stdin</i> is used.</p>
<p class="Pp">The input of <code class="Nm">fido2-cred</code> is defined by the
parameters of the credential to be made/verified. See the
<a class="Sx" href="#INPUT_FORMAT">INPUT FORMAT</a> section for details.</p>
<p class="Pp">The output of <code class="Nm">fido2-cred</code> is defined by the
result of the selected operation. See the
<a class="Sx" href="#OUTPUT_FORMAT">OUTPUT FORMAT</a> section for
details.</p>
<p class="Pp">If a credential is successfully created or verified,
<code class="Nm">fido2-cred</code> exits 0. Otherwise,
<code class="Nm">fido2-cred</code> exits 1.</p>
<p class="Pp">The options are as follows:</p>
<dl class="Bl-tag">
<dt><a class="permalink" href="#M"><code class="Fl" id="M">-M</code></a></dt>
<dd>Tells <code class="Nm">fido2-cred</code> to make a new credential on
<var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#V"><code class="Fl" id="V">-V</code></a></dt>
<dd>Tells <code class="Nm">fido2-cred</code> to verify a credential.</dd>
<dt><a class="permalink" href="#b"><code class="Fl" id="b">-b</code></a></dt>
<dd>Request the credential's “largeBlobKey”, a 32-byte symmetric
key associated with the generated credential.</dd>
<dt><a class="permalink" href="#c"><code class="Fl" id="c">-c</code></a>
<var class="Ar">cred_protect</var></dt>
<dd>If making a credential, set the credential's protection level to
<var class="Ar">cred_protect</var>, where
<var class="Ar">cred_protect</var> is the credential's protection level in
decimal notation. Please refer to
<code class="In"><<a class="In">fido/param.h</a>></code> for the set
of possible values. If verifying a credential, check whether the
credential's protection level was signed by the authenticator as
<var class="Ar">cred_protect</var>.</dd>
<dt><a class="permalink" href="#d"><code class="Fl" id="d">-d</code></a></dt>
<dd>Causes <code class="Nm">fido2-cred</code> to emit debugging output on
<i class="Em">stderr</i>.</dd>
<dt><a class="permalink" href="#h"><code class="Fl" id="h">-h</code></a></dt>
<dd>If making a credential, enable the FIDO2 hmac-secret extension. If
verifying a credential, check whether the extension data bit was signed by
the authenticator.</dd>
<dt><a class="permalink" href="#i"><code class="Fl" id="i">-i</code></a>
<var class="Ar">input_file</var></dt>
<dd>Tells <code class="Nm">fido2-cred</code> to read the parameters of the
credential from <var class="Ar">input_file</var> instead of
<i class="Em">stdin</i>.</dd>
<dt><a class="permalink" href="#o"><code class="Fl" id="o">-o</code></a>
<var class="Ar">output_file</var></dt>
<dd>Tells <code class="Nm">fido2-cred</code> to write output on
<var class="Ar">output_file</var> instead of
<i class="Em">stdout</i>.</dd>
<dt><a class="permalink" href="#q"><code class="Fl" id="q">-q</code></a></dt>
<dd>Tells <code class="Nm">fido2-cred</code> to be quiet. If a PIN is required
and <code class="Fl">-q</code> is specified,
<code class="Nm">fido2-cred</code> will fail.</dd>
<dt><a class="permalink" href="#r"><code class="Fl" id="r">-r</code></a></dt>
<dd>Create a resident credential. Resident credentials are called
“discoverable credentials” in CTAP 2.1.</dd>
<dt><a class="permalink" href="#u"><code class="Fl" id="u">-u</code></a></dt>
<dd>Create a U2F credential. By default, <code class="Nm">fido2-cred</code>
will use FIDO2 if supported by the authenticator, and fallback to U2F
otherwise.</dd>
<dt><a class="permalink" href="#v"><code class="Fl" id="v">-v</code></a></dt>
<dd>If making a credential, request user verification. If verifying a
credential, check whether the user verification bit was signed by the
authenticator.</dd>
</dl>
</section>
<section class="Sh">
<h1 class="Sh" id="INPUT_FORMAT"><a class="permalink" href="#INPUT_FORMAT">INPUT
FORMAT</a></h1>
The input of <code class="Nm">fido2-cred</code> consists of base64 blobs and
UTF-8 strings separated by newline characters ('\n').
<p class="Pp">When making a credential, <code class="Nm">fido2-cred</code>
expects its input to consist of:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>user name (UTF-8 string);</li>
<li>user id (base64 blob).</li>
</ol>
<p class="Pp">When verifying a credential, <code class="Nm">fido2-cred</code>
expects its input to consist of:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>credential format (UTF-8 string);</li>
<li>authenticator data (base64 blob);</li>
<li>credential id (base64 blob);</li>
<li>attestation signature (base64 blob);</li>
<li>attestation certificate (optional, base64 blob).</li>
</ol>
<p class="Pp">UTF-8 strings passed to <code class="Nm">fido2-cred</code> must
not contain embedded newline or NUL characters.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="OUTPUT_FORMAT"><a class="permalink" href="#OUTPUT_FORMAT">OUTPUT
FORMAT</a></h1>
The output of <code class="Nm">fido2-cred</code> consists of base64 blobs, UTF-8
strings, and PEM-encoded public keys separated by newline characters ('\n').
<p class="Pp">Upon the successful generation of a credential,
<code class="Nm">fido2-cred</code> outputs:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>client data hash (base64 blob);</li>
<li>relying party id (UTF-8 string);</li>
<li>credential format (UTF-8 string);</li>
<li>authenticator data (base64 blob);</li>
<li>credential id (base64 blob);</li>
<li>attestation signature (base64 blob);</li>
<li>attestation certificate, if present (base64 blob).</li>
<li>the credential's associated 32-byte symmetric key
(“largeBlobKey”), if present (base64 blob).</li>
</ol>
<p class="Pp">Upon the successful verification of a credential,
<code class="Nm">fido2-cred</code> outputs:</p>
<p class="Pp"></p>
<ol class="Bl-enum Bd-indent Bl-compact">
<li>credential id (base64 blob);</li>
<li>PEM-encoded credential key.</li>
</ol>
</section>
<section class="Sh">
<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1>
Create a new <i class="Em">es256</i> credential on
<span class="Pa">/dev/hidraw5</span>, verify it, and save the id and the
public key of the credential in <i class="Em">cred</i>:
<p class="Pp"></p>
<div class="Bd Bd-indent"><code class="Li">$ echo credential challenge | openssl
sha256 -binary | base64 > cred_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ echo relying party >>
cred_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ echo user name >>
cred_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ dd if=/dev/urandom bs=1 count=32 |
base64 >> cred_param</code></div>
<div class="Bd Bd-indent"><code class="Li">$ fido2-cred -M -i cred_param
/dev/hidraw5 | fido2-cred -V -o cred</code></div>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<a class="Xr" href="fido2-assert.html">fido2-assert(1)</a>,
<a class="Xr" href="fido2-token.html">fido2-token(1)</a>
</section>
<section class="Sh">
<h1 class="Sh" id="CAVEATS"><a class="permalink" href="#CAVEATS">CAVEATS</a></h1>
Please note that <code class="Nm">fido2-cred</code> handles Basic Attestation
and Self Attestation transparently. In the case of Basic Attestation, the
validity of the authenticator's attestation certificate is
<i class="Em">not</i> verified.
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">November 5, 2019</td>
<td class="foot-os">Yubico AB</td>
</tr>
</table>
</body>
</html>
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists