diff options
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/README.adoc | 5 | ||||
| -rw-r--r-- | examples/cred.c | 30 |
2 files changed, 28 insertions, 7 deletions
diff --git a/examples/README.adoc b/examples/README.adoc index d44218c2cf87..6151b70bd91e 100644 --- a/examples/README.adoc +++ b/examples/README.adoc @@ -48,7 +48,7 @@ The following examples are provided: the device's PIN is changed from [oldpin] to <pin>. - cred [-t es256|es384|rs256|eddsa] [-k pubkey] [-ei cred_id] [-P pin] - [-T seconds] [-b blobkey] [-hruv] <device> + [-T seconds] [-b blobkey] [-hruv] [-c cred_protect] <device> Creates a new credential on <device> and verify that the credential was signed by the authenticator. The device's attestation certificate @@ -63,7 +63,8 @@ The following examples are provided: is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. The -T option may be used to enforce a timeout of <seconds>. If the option -b is specified, the credential's "largeBlob" key is stored in - <blobkey>. + <blobkey>. If the option -c is specified the the generated credential + will be bound by the specified protection policy. - assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin] [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device> diff --git a/examples/cred.c b/examples/cred.c index 576900d97786..5a2a27fd7771 100644 --- a/examples/cred.c +++ b/examples/cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2022 Yubico AB. All rights reserved. + * Copyright (c) 2018-2023 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. * SPDX-License-Identifier: BSD-2-Clause @@ -36,7 +36,7 @@ static void usage(void) { fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] " - "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-hruv] " + "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] " "<device>\n"); exit(EXIT_FAILURE); } @@ -44,7 +44,8 @@ usage(void) static void verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr, size_t authdata_len, const unsigned char *attstmt_ptr, size_t attstmt_len, - bool rk, bool uv, int ext, const char *key_out, const char *id_out) + bool rk, bool uv, int ext, int cred_protect, const char *key_out, + const char *id_out) { fido_cred_t *cred; int r; @@ -85,6 +86,11 @@ verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr, if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK) errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r); + /* credProt */ + if (cred_protect != 0 && (r = fido_cred_set_prot(cred, + cred_protect)) != FIDO_OK) + errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r); + /* fmt */ r = fido_cred_set_fmt(cred, fmt); if (r != FIDO_OK) @@ -159,11 +165,12 @@ main(int argc, char **argv) int ext = 0; int ch; int r; + long long cred_protect = 0; if ((cred = fido_cred_new()) == NULL) errx(1, "fido_cred_new"); - while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uv")) != -1) { + while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) { switch (ch) { case 'P': pin = optarg; @@ -192,6 +199,13 @@ main(int argc, char **argv) case 'h': ext |= FIDO_EXT_HMAC_SECRET; break; + case 'c': + if (base10(optarg, &cred_protect) < 0) + errx(1, "base10: %s", optarg); + if (cred_protect <= 0 || cred_protect > 3) + errx(1, "-c: %s must be in (1,3)", optarg); + ext |= FIDO_EXT_CRED_PROTECT; + break; case 'i': id_out = optarg; break; @@ -275,6 +289,11 @@ main(int argc, char **argv) if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK) errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r); + /* credProt */ + if (cred_protect != 0 && (r = fido_cred_set_prot(cred, + (int)cred_protect)) != FIDO_OK) + errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r); + /* timeout */ if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK) errx(1, "fido_dev_set_timeout: %s (0x%x)", fido_strerr(r), r); @@ -296,7 +315,8 @@ main(int argc, char **argv) verify_cred(type, fido_cred_fmt(cred), fido_cred_authdata_ptr(cred), fido_cred_authdata_len(cred), fido_cred_attstmt_ptr(cred), - fido_cred_attstmt_len(cred), rk, uv, ext, key_out, id_out); + fido_cred_attstmt_len(cred), rk, uv, ext, fido_cred_prot(cred), + key_out, id_out); if (blobkey_out != NULL) { /* extract the "largeBlob" key */ |