1c4a807edSdjm.\" Copyright (c) 2020 Yubico AB. All rights reserved. 2c4a807edSdjm.\" Use of this source code is governed by a BSD-style 3c4a807edSdjm.\" license that can be found in the LICENSE file. 4c4a807edSdjm.\" 5*ab19a69eSdjm.Dd $Mdocdate: August 29 2022 $ 6c4a807edSdjm.Dt FIDO_DEV_ENABLE_ENTATTEST 3 7c4a807edSdjm.Os 8c4a807edSdjm.Sh NAME 9c4a807edSdjm.Nm fido_dev_enable_entattest , 10c4a807edSdjm.Nm fido_dev_toggle_always_uv , 11c4a807edSdjm.Nm fido_dev_force_pin_change , 12*ab19a69eSdjm.Nm fido_dev_set_pin_minlen , 13*ab19a69eSdjm.Nm fido_dev_set_pin_minlen_rpid 14*ab19a69eSdjm.Nd CTAP 2.1 configuration authenticator API 15c4a807edSdjm.Sh SYNOPSIS 16c4a807edSdjm.In fido.h 17c4a807edSdjm.In fido/config.h 18c4a807edSdjm.Ft int 19c4a807edSdjm.Fn fido_dev_enable_entattest "fido_dev_t *dev" "const char *pin" 20c4a807edSdjm.Ft int 21c4a807edSdjm.Fn fido_dev_toggle_always_uv "fido_dev_t *dev" "const char *pin" 22c4a807edSdjm.Ft int 23c4a807edSdjm.Fn fido_dev_force_pin_change "fido_dev_t *dev" "const char *pin" 24c4a807edSdjm.Ft int 25c4a807edSdjm.Fn fido_dev_set_pin_minlen "fido_dev_t *dev" "size_t len" "const char *pin" 26*ab19a69eSdjm.Ft int 27*ab19a69eSdjm.Fn fido_dev_set_pin_minlen_rpid "fido_dev_t *dev" "const char * const *rpid" "size_t n" "const char *pin" 28c4a807edSdjm.Sh DESCRIPTION 29c4a807edSdjmThe functions described in this page allow configuration of a 30*ab19a69eSdjmCTAP 2.1 authenticator. 31c4a807edSdjm.Pp 32c4a807edSdjmThe 33c4a807edSdjm.Fn fido_dev_enable_entattest 34c4a807edSdjmfunction enables the 35c4a807edSdjm.Em Enterprise Attestation 36c4a807edSdjmfeature on 37c4a807edSdjm.Fa dev . 38c4a807edSdjm.Em Enterprise Attestation 39c4a807edSdjminstructs the authenticator to include uniquely identifying 40c4a807edSdjminformation in subsequent attestation statements. 41c4a807edSdjmThe 42c4a807edSdjm.Fa pin 43c4a807edSdjmparameter may be NULL if 44c4a807edSdjm.Fa dev 45c4a807edSdjmdoes not have a PIN set. 46c4a807edSdjm.Pp 47c4a807edSdjmThe 48c4a807edSdjm.Fn fido_dev_toggle_always_uv 49c4a807edSdjmfunction toggles the 50c4a807edSdjm.Dq user verification always 51c4a807edSdjmfeature on 52c4a807edSdjm.Fa dev . 53c4a807edSdjmWhen set, this toggle enforces user verification at the 54c4a807edSdjmauthenticator level for all known credentials. 55c4a807edSdjmIf 56c4a807edSdjm.Fa dev 57c4a807edSdjmsupports U2F (CTAP1) and the user verification methods supported by 58c4a807edSdjmthe authenticator do not allow protection of U2F credentials, the 59c4a807edSdjmU2F subsystem will be disabled by the authenticator. 60c4a807edSdjmThe 61c4a807edSdjm.Fa pin 62c4a807edSdjmparameter may be NULL if 63c4a807edSdjm.Fa dev 64c4a807edSdjmdoes not have a PIN set. 65c4a807edSdjm.Pp 66c4a807edSdjmThe 67c4a807edSdjm.Fn fido_dev_force_pin_change 684bc2832dSnaddyfunction instructs 69c4a807edSdjm.Fa dev 70c4a807edSdjmto require a PIN change. 71c4a807edSdjmSubsequent PIN authentication attempts against 72c4a807edSdjm.Fa dev 73c4a807edSdjmwill fail until its PIN is changed. 74c4a807edSdjm.Pp 75c4a807edSdjmThe 76c4a807edSdjm.Fn fido_dev_set_pin_minlen 77c4a807edSdjmfunction sets the minimum PIN length of 78c4a807edSdjm.Fa dev 79c4a807edSdjmto 80c4a807edSdjm.Fa len . 81c4a807edSdjmMinimum PIN lengths may only be increased. 82c4a807edSdjm.Pp 83*ab19a69eSdjmThe 84*ab19a69eSdjm.Fn fido_dev_set_pin_minlen_rpid 85*ab19a69eSdjmfunction sets the list of relying party identifiers 86*ab19a69eSdjm.Pq RP IDs 87*ab19a69eSdjmthat are allowed to obtain the minimum PIN length of 88*ab19a69eSdjm.Fa dev 89*ab19a69eSdjmthrough the CTAP 2.1 90*ab19a69eSdjm.Dv FIDO_EXT_MINPINLEN 91*ab19a69eSdjmextension. 92*ab19a69eSdjmThe list of RP identifiers is denoted by 93*ab19a69eSdjm.Fa rpid , 94*ab19a69eSdjma vector of 95*ab19a69eSdjm.Fa n 96*ab19a69eSdjmNUL-terminated UTF-8 strings. 97*ab19a69eSdjmA copy of 98*ab19a69eSdjm.Fa rpid 99*ab19a69eSdjmis made, and no reference to it or its contents is kept. 100*ab19a69eSdjm.Pp 101c4a807edSdjmConfiguration settings are reflected in the payload returned by the 102c4a807edSdjmauthenticator in response to a 103c4a807edSdjm.Xr fido_dev_get_cbor_info 3 104c4a807edSdjmcall. 105c4a807edSdjm.Sh RETURN VALUES 106c4a807edSdjmThe error codes returned by 107c4a807edSdjm.Fn fido_dev_enable_entattest , 108c4a807edSdjm.Fn fido_dev_toggle_always_uv , 109c4a807edSdjm.Fn fido_dev_force_pin_change , 110*ab19a69eSdjm.Fn fido_dev_set_pin_minlen , 111c4a807edSdjmand 112*ab19a69eSdjm.Fn fido_dev_set_pin_minlen_rpid 113c4a807edSdjmare defined in 114c4a807edSdjm.In fido/err.h . 115c4a807edSdjmOn success, 116c4a807edSdjm.Dv FIDO_OK 117c4a807edSdjmis returned. 118c4a807edSdjm.Sh SEE ALSO 119*ab19a69eSdjm.Xr fido_cred_pin_minlen 3 , 120c4a807edSdjm.Xr fido_dev_get_cbor_info 3 , 121c4a807edSdjm.Xr fido_dev_reset 3 122