summaryrefslogtreecommitdiffstats
path: root/examples
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 20:45:25 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 20:45:25 +0000
commit814d128d1c52fe82be73ecff5b7472378041313f (patch)
tree581db0c07936d6d608e8c2e72d4903df306dd589 /examples
parentInitial commit. (diff)
downloadlibfido2-814d128d1c52fe82be73ecff5b7472378041313f.tar.xz
libfido2-814d128d1c52fe82be73ecff5b7472378041313f.zip
Adding upstream version 1.14.0.upstream/1.14.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'examples')
-rw-r--r--examples/CMakeLists.txt59
-rw-r--r--examples/README.adoc100
-rw-r--r--examples/assert.c349
-rw-r--r--examples/cred.c331
-rw-r--r--examples/extern.h27
-rw-r--r--examples/info.c382
-rw-r--r--examples/manifest.c42
-rw-r--r--examples/reset.c49
-rw-r--r--examples/retries.c49
-rw-r--r--examples/select.c215
-rw-r--r--examples/setpin.c55
-rw-r--r--examples/util.c444
12 files changed, 2102 insertions, 0 deletions
diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt
new file mode 100644
index 0000000..f013df4
--- /dev/null
+++ b/examples/CMakeLists.txt
@@ -0,0 +1,59 @@
+# Copyright (c) 2018 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+list(APPEND COMPAT_SOURCES
+ ../openbsd-compat/clock_gettime.c
+ ../openbsd-compat/getopt_long.c
+ ../openbsd-compat/strlcat.c
+ ../openbsd-compat/strlcpy.c
+)
+
+if(WIN32 AND BUILD_SHARED_LIBS AND NOT CYGWIN AND NOT MSYS)
+ list(APPEND COMPAT_SOURCES ../openbsd-compat/posix_win.c)
+endif()
+
+# enable -Wconversion -Wsign-conversion
+if(NOT MSVC)
+ set_source_files_properties(assert.c cred.c info.c manifest.c reset.c
+ retries.c setpin.c util.c PROPERTIES COMPILE_FLAGS
+ "-Wconversion -Wsign-conversion")
+endif()
+
+# manifest
+add_executable(manifest manifest.c ${COMPAT_SOURCES})
+target_link_libraries(manifest ${_FIDO2_LIBRARY})
+
+# info
+add_executable(info info.c ${COMPAT_SOURCES})
+target_link_libraries(info ${_FIDO2_LIBRARY})
+
+# reset
+add_executable(reset reset.c util.c ${COMPAT_SOURCES})
+target_link_libraries(reset ${_FIDO2_LIBRARY})
+
+# cred
+add_executable(cred cred.c util.c ${COMPAT_SOURCES})
+target_link_libraries(cred ${_FIDO2_LIBRARY})
+
+# assert
+add_executable(assert assert.c util.c ${COMPAT_SOURCES})
+target_link_libraries(assert ${_FIDO2_LIBRARY})
+
+# setpin
+add_executable(setpin setpin.c ${COMPAT_SOURCES})
+target_link_libraries(setpin ${_FIDO2_LIBRARY})
+
+# retries
+add_executable(retries retries.c ${COMPAT_SOURCES})
+target_link_libraries(retries ${_FIDO2_LIBRARY})
+
+# select
+add_executable(select select.c ${COMPAT_SOURCES})
+target_link_libraries(select ${_FIDO2_LIBRARY})
+
+if(MINGW)
+ # needed for nanosleep() in mingw
+ target_link_libraries(select winpthread)
+endif()
diff --git a/examples/README.adoc b/examples/README.adoc
new file mode 100644
index 0000000..6151b70
--- /dev/null
+++ b/examples/README.adoc
@@ -0,0 +1,100 @@
+= Examples
+
+=== Definitions
+
+The following definitions are used in the description below:
+
+- <device>
+
+ The file system path or subsystem-specific identification string of a
+ FIDO device.
+
+- <pin>, [oldpin]
+
+ Strings passed directly in the executed command's argument vector.
+
+- <cred_id>
+
+ The file system path of a file containing a FIDO credential ID in
+ binary representation.
+
+- <pubkey>
+
+ The file system path of a file containing a public key in PEM format.
+
+- <blobkey>
+
+ A credential's associated CTAP 2.1 "largeBlob" symmetric key.
+
+=== Description
+
+The following examples are provided:
+
+- manifest
+
+ Prints a list of configured FIDO devices.
+
+- info <device>
+
+ Prints information about <device>.
+
+- reset <device>
+
+ Performs a factory reset on <device>.
+
+- setpin <pin> [oldpin] <device>
+
+ Configures <pin> as the new PIN of <device>. If [oldpin] is provided,
+ the device's PIN is changed from [oldpin] to <pin>.
+
+- cred [-t es256|es384|rs256|eddsa] [-k pubkey] [-ei cred_id] [-P pin]
+ [-T seconds] [-b blobkey] [-hruv] [-c cred_protect] <device>
+
+ Creates a new credential on <device> and verify that the credential
+ was signed by the authenticator. The device's attestation certificate
+ is not verified. If option -k is specified, the credential's public
+ key is stored in <pubkey>. If option -i is specified, the credential
+ ID is stored in <cred_id>. The -e option may be used to add <cred_id>
+ to the list of excluded credentials. If option -h is specified,
+ the hmac-secret FIDO2 extension is enabled on the generated
+ credential. If option -r is specified, the generated credential
+ will involve a resident key. User verification may be requested
+ through the -v option. If option -u is specified, the credential
+ is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands.
+ The -T option may be used to enforce a timeout of <seconds>. If the
+ option -b is specified, the credential's "largeBlob" key is stored in
+ <blobkey>. If the option -c is specified the the generated credential
+ will be bound by the specified protection policy.
+
+- assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin]
+ [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device>
+
+ Asks <device> for a FIDO2 assertion corresponding to [cred_id],
+ which may be omitted for resident keys. The obtained assertion
+ is verified using <pubkey>. The -p option requests that the user
+ be present and checks whether the user presence bit was signed by the
+ authenticator. The -v option requests user verification and checks
+ whether the user verification bit was signed by the authenticator.
+ If option -u is specified, the assertion is generated using
+ U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is
+ specified, a FIDO2 hmac-secret is requested from the authenticator,
+ and the contents of <hmac_salt> are used as the salt. If option -h
+ is specified, the resulting hmac-secret is stored in <hmac_secret>.
+ The -T option may be used to enforce a timeout of <seconds>. If the
+ option -b specified, the credential's "largeBlob" key is stored in
+ <blobkey>.
+
+- retries <device>
+ Get the number of PIN attempts left on <device> before lockout.
+
+- select
+
+ Enumerates available FIDO devices and, if more than one is present,
+ simultaneously requests touch on all of them, printing information
+ about the device touched.
+
+Debugging is possible through the use of the FIDO_DEBUG environment variable.
+If set, libfido2 will produce a log of its transactions with the authenticator.
+
+Additionally, an example of a WebAuthn client using libfido2 is available at
+https://github.com/martelletto/fido2-webauthn-client.
diff --git a/examples/assert.c b/examples/assert.c
new file mode 100644
index 0000000..32ba97b
--- /dev/null
+++ b/examples/assert.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <fido.h>
+#include <fido/es256.h>
+#include <fido/es384.h>
+#include <fido/rs256.h>
+#include <fido/eddsa.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "../openbsd-compat/openbsd-compat.h"
+#include "extern.h"
+
+static const unsigned char cd[32] = {
+ 0xec, 0x8d, 0x8f, 0x78, 0x42, 0x4a, 0x2b, 0xb7,
+ 0x82, 0x34, 0xaa, 0xca, 0x07, 0xa1, 0xf6, 0x56,
+ 0x42, 0x1c, 0xb6, 0xf6, 0xb3, 0x00, 0x86, 0x52,
+ 0x35, 0x2d, 0xa2, 0x62, 0x4a, 0xbe, 0x89, 0x76,
+};
+
+static void
+usage(void)
+{
+ fprintf(stderr, "usage: assert [-t es256|es384|rs256|eddsa] "
+ "[-a cred_id] [-h hmac_secret] [-s hmac_salt] [-P pin] "
+ "[-T seconds] [-b blobkey] [-puv] <pubkey> <device>\n");
+ exit(EXIT_FAILURE);
+}
+
+static void
+verify_assert(int type, const unsigned char *authdata_ptr, size_t authdata_len,
+ const unsigned char *sig_ptr, size_t sig_len, bool up, bool uv, int ext,
+ const char *key)
+{
+ fido_assert_t *assert = NULL;
+ EC_KEY *ec = NULL;
+ RSA *rsa = NULL;
+ EVP_PKEY *eddsa = NULL;
+ es256_pk_t *es256_pk = NULL;
+ es384_pk_t *es384_pk = NULL;
+ rs256_pk_t *rs256_pk = NULL;
+ eddsa_pk_t *eddsa_pk = NULL;
+ void *pk;
+ int r;
+
+ /* credential pubkey */
+ switch (type) {
+ case COSE_ES256:
+ if ((ec = read_ec_pubkey(key)) == NULL)
+ errx(1, "read_ec_pubkey");
+
+ if ((es256_pk = es256_pk_new()) == NULL)
+ errx(1, "es256_pk_new");
+
+ if (es256_pk_from_EC_KEY(es256_pk, ec) != FIDO_OK)
+ errx(1, "es256_pk_from_EC_KEY");
+
+ pk = es256_pk;
+ EC_KEY_free(ec);
+ ec = NULL;
+
+ break;
+ case COSE_ES384:
+ if ((ec = read_ec_pubkey(key)) == NULL)
+ errx(1, "read_ec_pubkey");
+
+ if ((es384_pk = es384_pk_new()) == NULL)
+ errx(1, "es384_pk_new");
+
+ if (es384_pk_from_EC_KEY(es384_pk, ec) != FIDO_OK)
+ errx(1, "es384_pk_from_EC_KEY");
+
+ pk = es384_pk;
+ EC_KEY_free(ec);
+ ec = NULL;
+
+ break;
+ case COSE_RS256:
+ if ((rsa = read_rsa_pubkey(key)) == NULL)
+ errx(1, "read_rsa_pubkey");
+
+ if ((rs256_pk = rs256_pk_new()) == NULL)
+ errx(1, "rs256_pk_new");
+
+ if (rs256_pk_from_RSA(rs256_pk, rsa) != FIDO_OK)
+ errx(1, "rs256_pk_from_RSA");
+
+ pk = rs256_pk;
+ RSA_free(rsa);
+ rsa = NULL;
+
+ break;
+ case COSE_EDDSA:
+ if ((eddsa = read_eddsa_pubkey(key)) == NULL)
+ errx(1, "read_eddsa_pubkey");
+
+ if ((eddsa_pk = eddsa_pk_new()) == NULL)
+ errx(1, "eddsa_pk_new");
+
+ if (eddsa_pk_from_EVP_PKEY(eddsa_pk, eddsa) != FIDO_OK)
+ errx(1, "eddsa_pk_from_EVP_PKEY");
+
+ pk = eddsa_pk;
+ EVP_PKEY_free(eddsa);
+ eddsa = NULL;
+
+ break;
+ default:
+ errx(1, "unknown credential type %d", type);
+ }
+
+ if ((assert = fido_assert_new()) == NULL)
+ errx(1, "fido_assert_new");
+
+ /* client data hash */
+ r = fido_assert_set_clientdata(assert, cd, sizeof(cd));
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_clientdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* relying party */
+ r = fido_assert_set_rp(assert, "localhost");
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_rp: %s (0x%x)", fido_strerr(r), r);
+
+ /* authdata */
+ r = fido_assert_set_count(assert, 1);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_count: %s (0x%x)", fido_strerr(r), r);
+ r = fido_assert_set_authdata(assert, 0, authdata_ptr, authdata_len);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_authdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* extension */
+ r = fido_assert_set_extensions(assert, ext);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_extensions: %s (0x%x)", fido_strerr(r),
+ r);
+
+ /* user presence */
+ if (up && (r = fido_assert_set_up(assert, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_assert_set_up: %s (0x%x)", fido_strerr(r), r);
+
+ /* user verification */
+ if (uv && (r = fido_assert_set_uv(assert, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_assert_set_uv: %s (0x%x)", fido_strerr(r), r);
+
+ /* sig */
+ r = fido_assert_set_sig(assert, 0, sig_ptr, sig_len);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_sig: %s (0x%x)", fido_strerr(r), r);
+
+ r = fido_assert_verify(assert, 0, type, pk);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_verify: %s (0x%x)", fido_strerr(r), r);
+
+ es256_pk_free(&es256_pk);
+ es384_pk_free(&es384_pk);
+ rs256_pk_free(&rs256_pk);
+ eddsa_pk_free(&eddsa_pk);
+
+ fido_assert_free(&assert);
+}
+
+int
+main(int argc, char **argv)
+{
+ bool up = false;
+ bool uv = false;
+ bool u2f = false;
+ fido_dev_t *dev = NULL;
+ fido_assert_t *assert = NULL;
+ const char *pin = NULL;
+ const char *blobkey_out = NULL;
+ const char *hmac_out = NULL;
+ unsigned char *body = NULL;
+ long long ms = 0;
+ size_t len;
+ int type = COSE_ES256;
+ int ext = 0;
+ int ch;
+ int r;
+
+ if ((assert = fido_assert_new()) == NULL)
+ errx(1, "fido_assert_new");
+
+ while ((ch = getopt(argc, argv, "P:T:a:b:h:ps:t:uv")) != -1) {
+ switch (ch) {
+ case 'P':
+ pin = optarg;
+ break;
+ case 'T':
+ if (base10(optarg, &ms) < 0)
+ errx(1, "base10: %s", optarg);
+ if (ms <= 0 || ms > 30)
+ errx(1, "-T: %s must be in (0,30]", optarg);
+ ms *= 1000; /* seconds to milliseconds */
+ break;
+ case 'a':
+ if (read_blob(optarg, &body, &len) < 0)
+ errx(1, "read_blob: %s", optarg);
+ if ((r = fido_assert_allow_cred(assert, body,
+ len)) != FIDO_OK)
+ errx(1, "fido_assert_allow_cred: %s (0x%x)",
+ fido_strerr(r), r);
+ free(body);
+ body = NULL;
+ break;
+ case 'b':
+ ext |= FIDO_EXT_LARGEBLOB_KEY;
+ blobkey_out = optarg;
+ break;
+ case 'h':
+ hmac_out = optarg;
+ break;
+ case 'p':
+ up = true;
+ break;
+ case 's':
+ ext |= FIDO_EXT_HMAC_SECRET;
+ if (read_blob(optarg, &body, &len) < 0)
+ errx(1, "read_blob: %s", optarg);
+ if ((r = fido_assert_set_hmac_salt(assert, body,
+ len)) != FIDO_OK)
+ errx(1, "fido_assert_set_hmac_salt: %s (0x%x)",
+ fido_strerr(r), r);
+ free(body);
+ body = NULL;
+ break;
+ case 't':
+ if (strcmp(optarg, "es256") == 0)
+ type = COSE_ES256;
+ else if (strcmp(optarg, "es384") == 0)
+ type = COSE_ES384;
+ else if (strcmp(optarg, "rs256") == 0)
+ type = COSE_RS256;
+ else if (strcmp(optarg, "eddsa") == 0)
+ type = COSE_EDDSA;
+ else
+ errx(1, "unknown type %s", optarg);
+ break;
+ case 'u':
+ u2f = true;
+ break;
+ case 'v':
+ uv = true;
+ break;
+ default:
+ usage();
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc != 2)
+ usage();
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+
+ r = fido_dev_open(dev, argv[1]);
+ if (r != FIDO_OK)
+ errx(1, "fido_dev_open: %s (0x%x)", fido_strerr(r), r);
+ if (u2f)
+ fido_dev_force_u2f(dev);
+
+ /* client data hash */
+ r = fido_assert_set_clientdata(assert, cd, sizeof(cd));
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_clientdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* relying party */
+ r = fido_assert_set_rp(assert, "localhost");
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_rp: %s (0x%x)", fido_strerr(r), r);
+
+ /* extensions */
+ r = fido_assert_set_extensions(assert, ext);
+ if (r != FIDO_OK)
+ errx(1, "fido_assert_set_extensions: %s (0x%x)", fido_strerr(r),
+ r);
+
+ /* user presence */
+ if (up && (r = fido_assert_set_up(assert, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_assert_set_up: %s (0x%x)", fido_strerr(r), r);
+
+ /* user verification */
+ if (uv && (r = fido_assert_set_uv(assert, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_assert_set_uv: %s (0x%x)", fido_strerr(r), r);
+
+ /* timeout */
+ if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)
+ errx(1, "fido_dev_set_timeout: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_get_assert(dev, assert, pin)) != FIDO_OK) {
+ fido_dev_cancel(dev);
+ errx(1, "fido_dev_get_assert: %s (0x%x)", fido_strerr(r), r);
+ }
+
+ r = fido_dev_close(dev);
+ if (r != FIDO_OK)
+ errx(1, "fido_dev_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+
+ if (fido_assert_count(assert) != 1)
+ errx(1, "fido_assert_count: %d signatures returned",
+ (int)fido_assert_count(assert));
+
+ /* when verifying, pin implies uv */
+ if (pin)
+ uv = true;
+
+ verify_assert(type, fido_assert_authdata_ptr(assert, 0),
+ fido_assert_authdata_len(assert, 0), fido_assert_sig_ptr(assert, 0),
+ fido_assert_sig_len(assert, 0), up, uv, ext, argv[0]);
+
+ if (hmac_out != NULL) {
+ /* extract the hmac secret */
+ if (write_blob(hmac_out, fido_assert_hmac_secret_ptr(assert, 0),
+ fido_assert_hmac_secret_len(assert, 0)) < 0)
+ errx(1, "write_blob");
+ }
+
+ if (blobkey_out != NULL) {
+ /* extract the hmac secret */
+ if (write_blob(blobkey_out,
+ fido_assert_largeblob_key_ptr(assert, 0),
+ fido_assert_largeblob_key_len(assert, 0)) < 0)
+ errx(1, "write_blob");
+ }
+
+ fido_assert_free(&assert);
+
+ exit(0);
+}
diff --git a/examples/cred.c b/examples/cred.c
new file mode 100644
index 0000000..5a2a27f
--- /dev/null
+++ b/examples/cred.c
@@ -0,0 +1,331 @@
+/*
+ * Copyright (c) 2018-2023 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <errno.h>
+#include <fido.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "../openbsd-compat/openbsd-compat.h"
+#include "extern.h"
+
+static const unsigned char cd[32] = {
+ 0xf9, 0x64, 0x57, 0xe7, 0x2d, 0x97, 0xf6, 0xbb,
+ 0xdd, 0xd7, 0xfb, 0x06, 0x37, 0x62, 0xea, 0x26,
+ 0x20, 0x44, 0x8e, 0x69, 0x7c, 0x03, 0xf2, 0x31,
+ 0x2f, 0x99, 0xdc, 0xaf, 0x3e, 0x8a, 0x91, 0x6b,
+};
+
+static const unsigned char user_id[32] = {
+ 0x78, 0x1c, 0x78, 0x60, 0xad, 0x88, 0xd2, 0x63,
+ 0x32, 0x62, 0x2a, 0xf1, 0x74, 0x5d, 0xed, 0xb2,
+ 0xe7, 0xa4, 0x2b, 0x44, 0x89, 0x29, 0x39, 0xc5,
+ 0x56, 0x64, 0x01, 0x27, 0x0d, 0xbb, 0xc4, 0x49,
+};
+
+static void
+usage(void)
+{
+ fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] "
+ "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] "
+ "<device>\n");
+ exit(EXIT_FAILURE);
+}
+
+static void
+verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr,
+ size_t authdata_len, const unsigned char *attstmt_ptr, size_t attstmt_len,
+ bool rk, bool uv, int ext, int cred_protect, const char *key_out,
+ const char *id_out)
+{
+ fido_cred_t *cred;
+ int r;
+
+ if ((cred = fido_cred_new()) == NULL)
+ errx(1, "fido_cred_new");
+
+ /* type */
+ r = fido_cred_set_type(cred, type);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_type: %s (0x%x)", fido_strerr(r), r);
+
+ /* client data */
+ r = fido_cred_set_clientdata(cred, cd, sizeof(cd));
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_clientdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* relying party */
+ r = fido_cred_set_rp(cred, "localhost", "sweet home localhost");
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_rp: %s (0x%x)", fido_strerr(r), r);
+
+ /* authdata */
+ r = fido_cred_set_authdata(cred, authdata_ptr, authdata_len);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_authdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* extensions */
+ r = fido_cred_set_extensions(cred, ext);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_extensions: %s (0x%x)", fido_strerr(r), r);
+
+ /* resident key */
+ if (rk && (r = fido_cred_set_rk(cred, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_cred_set_rk: %s (0x%x)", fido_strerr(r), r);
+
+ /* user verification */
+ if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r);
+
+ /* credProt */
+ if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
+ cred_protect)) != FIDO_OK)
+ errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+
+ /* fmt */
+ r = fido_cred_set_fmt(cred, fmt);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_fmt: %s (0x%x)", fido_strerr(r), r);
+
+ if (!strcmp(fido_cred_fmt(cred), "none")) {
+ warnx("no attestation data, skipping credential verification");
+ goto out;
+ }
+
+ /* attestation statement */
+ r = fido_cred_set_attstmt(cred, attstmt_ptr, attstmt_len);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_attstmt: %s (0x%x)", fido_strerr(r), r);
+
+ r = fido_cred_verify(cred);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_verify: %s (0x%x)", fido_strerr(r), r);
+
+out:
+ if (key_out != NULL) {
+ /* extract the credential pubkey */
+ if (type == COSE_ES256) {
+ if (write_es256_pubkey(key_out,
+ fido_cred_pubkey_ptr(cred),
+ fido_cred_pubkey_len(cred)) < 0)
+ errx(1, "write_es256_pubkey");
+ } else if (type == COSE_ES384) {
+ if (write_es384_pubkey(key_out,
+ fido_cred_pubkey_ptr(cred),
+ fido_cred_pubkey_len(cred)) < 0)
+ errx(1, "write_es384_pubkey");
+ } else if (type == COSE_RS256) {
+ if (write_rs256_pubkey(key_out,
+ fido_cred_pubkey_ptr(cred),
+ fido_cred_pubkey_len(cred)) < 0)
+ errx(1, "write_rs256_pubkey");
+ } else if (type == COSE_EDDSA) {
+ if (write_eddsa_pubkey(key_out,
+ fido_cred_pubkey_ptr(cred),
+ fido_cred_pubkey_len(cred)) < 0)
+ errx(1, "write_eddsa_pubkey");
+ }
+ }
+
+ if (id_out != NULL) {
+ /* extract the credential id */
+ if (write_blob(id_out, fido_cred_id_ptr(cred),
+ fido_cred_id_len(cred)) < 0)
+ errx(1, "write_blob");
+ }
+
+ fido_cred_free(&cred);
+}
+
+int
+main(int argc, char **argv)
+{
+ bool rk = false;
+ bool uv = false;
+ bool u2f = false;
+ fido_dev_t *dev;
+ fido_cred_t *cred = NULL;
+ const char *pin = NULL;
+ const char *blobkey_out = NULL;
+ const char *key_out = NULL;
+ const char *id_out = NULL;
+ unsigned char *body = NULL;
+ long long ms = 0;
+ size_t len;
+ int type = COSE_ES256;
+ int ext = 0;
+ int ch;
+ int r;
+ long long cred_protect = 0;
+
+ if ((cred = fido_cred_new()) == NULL)
+ errx(1, "fido_cred_new");
+
+ while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) {
+ switch (ch) {
+ case 'P':
+ pin = optarg;
+ break;
+ case 'T':
+ if (base10(optarg, &ms) < 0)
+ errx(1, "base10: %s", optarg);
+ if (ms <= 0 || ms > 30)
+ errx(1, "-T: %s must be in (0,30]", optarg);
+ ms *= 1000; /* seconds to milliseconds */
+ break;
+ case 'b':
+ ext |= FIDO_EXT_LARGEBLOB_KEY;
+ blobkey_out = optarg;
+ break;
+ case 'e':
+ if (read_blob(optarg, &body, &len) < 0)
+ errx(1, "read_blob: %s", optarg);
+ r = fido_cred_exclude(cred, body, len);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_exclude: %s (0x%x)",
+ fido_strerr(r), r);
+ free(body);
+ body = NULL;
+ break;
+ case 'h':
+ ext |= FIDO_EXT_HMAC_SECRET;
+ break;
+ case 'c':
+ if (base10(optarg, &cred_protect) < 0)
+ errx(1, "base10: %s", optarg);
+ if (cred_protect <= 0 || cred_protect > 3)
+ errx(1, "-c: %s must be in (1,3)", optarg);
+ ext |= FIDO_EXT_CRED_PROTECT;
+ break;
+ case 'i':
+ id_out = optarg;
+ break;
+ case 'k':
+ key_out = optarg;
+ break;
+ case 'r':
+ rk = true;
+ break;
+ case 't':
+ if (strcmp(optarg, "es256") == 0)
+ type = COSE_ES256;
+ else if (strcmp(optarg, "es384") == 0)
+ type = COSE_ES384;
+ else if (strcmp(optarg, "rs256") == 0)
+ type = COSE_RS256;
+ else if (strcmp(optarg, "eddsa") == 0)
+ type = COSE_EDDSA;
+ else
+ errx(1, "unknown type %s", optarg);
+ break;
+ case 'u':
+ u2f = true;
+ break;
+ case 'v':
+ uv = true;
+ break;
+ default:
+ usage();
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc != 1)
+ usage();
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+
+ r = fido_dev_open(dev, argv[0]);
+ if (r != FIDO_OK)
+ errx(1, "fido_dev_open: %s (0x%x)", fido_strerr(r), r);
+ if (u2f)
+ fido_dev_force_u2f(dev);
+
+ /* type */
+ r = fido_cred_set_type(cred, type);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_type: %s (0x%x)", fido_strerr(r), r);
+
+ /* client data */
+ r = fido_cred_set_clientdata(cred, cd, sizeof(cd));
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_clientdata: %s (0x%x)", fido_strerr(r), r);
+
+ /* relying party */
+ r = fido_cred_set_rp(cred, "localhost", "sweet home localhost");
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_rp: %s (0x%x)", fido_strerr(r), r);
+
+ /* user */
+ r = fido_cred_set_user(cred, user_id, sizeof(user_id), "john smith",
+ "jsmith", NULL);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_user: %s (0x%x)", fido_strerr(r), r);
+
+ /* extensions */
+ r = fido_cred_set_extensions(cred, ext);
+ if (r != FIDO_OK)
+ errx(1, "fido_cred_set_extensions: %s (0x%x)", fido_strerr(r), r);
+
+ /* resident key */
+ if (rk && (r = fido_cred_set_rk(cred, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_cred_set_rk: %s (0x%x)", fido_strerr(r), r);
+
+ /* user verification */
+ if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK)
+ errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r);
+
+ /* credProt */
+ if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
+ (int)cred_protect)) != FIDO_OK)
+ errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+
+ /* timeout */
+ if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)
+ errx(1, "fido_dev_set_timeout: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_make_cred(dev, cred, pin)) != FIDO_OK) {
+ fido_dev_cancel(dev);
+ errx(1, "fido_makecred: %s (0x%x)", fido_strerr(r), r);
+ }
+
+ r = fido_dev_close(dev);
+ if (r != FIDO_OK)
+ errx(1, "fido_dev_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+
+ /* when verifying, pin implies uv */
+ if (pin)
+ uv = true;
+
+ verify_cred(type, fido_cred_fmt(cred), fido_cred_authdata_ptr(cred),
+ fido_cred_authdata_len(cred), fido_cred_attstmt_ptr(cred),
+ fido_cred_attstmt_len(cred), rk, uv, ext, fido_cred_prot(cred),
+ key_out, id_out);
+
+ if (blobkey_out != NULL) {
+ /* extract the "largeBlob" key */
+ if (write_blob(blobkey_out, fido_cred_largeblob_key_ptr(cred),
+ fido_cred_largeblob_key_len(cred)) < 0)
+ errx(1, "write_blob");
+ }
+
+ fido_cred_free(&cred);
+
+ exit(0);
+}
diff --git a/examples/extern.h b/examples/extern.h
new file mode 100644
index 0000000..5cffd7f
--- /dev/null
+++ b/examples/extern.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#ifndef _EXTERN_H_
+#define _EXTERN_H_
+
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+
+/* util.c */
+EC_KEY *read_ec_pubkey(const char *);
+RSA *read_rsa_pubkey(const char *);
+EVP_PKEY *read_eddsa_pubkey(const char *);
+int base10(const char *, long long *);
+int read_blob(const char *, unsigned char **, size_t *);
+int write_blob(const char *, const unsigned char *, size_t);
+int write_es256_pubkey(const char *, const void *, size_t);
+int write_es384_pubkey(const char *, const void *, size_t);
+int write_rs256_pubkey(const char *, const void *, size_t);
+int write_eddsa_pubkey(const char *, const void *, size_t);
+
+#endif /* _EXTERN_H_ */
diff --git a/examples/info.c b/examples/info.c
new file mode 100644
index 0000000..a10a50c
--- /dev/null
+++ b/examples/info.c
@@ -0,0 +1,382 @@
+/*
+ * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <fido.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+
+/*
+ * Pretty-print a device's capabilities flags and return the result.
+ */
+static void
+format_flags(char *ret, size_t retlen, uint8_t flags)
+{
+ memset(ret, 0, retlen);
+
+ if (flags & FIDO_CAP_WINK) {
+ if (strlcat(ret, "wink,", retlen) >= retlen)
+ goto toolong;
+ } else {
+ if (strlcat(ret, "nowink,", retlen) >= retlen)
+ goto toolong;
+ }
+
+ if (flags & FIDO_CAP_CBOR) {
+ if (strlcat(ret, " cbor,", retlen) >= retlen)
+ goto toolong;
+ } else {
+ if (strlcat(ret, " nocbor,", retlen) >= retlen)
+ goto toolong;
+ }
+
+ if (flags & FIDO_CAP_NMSG) {
+ if (strlcat(ret, " nomsg", retlen) >= retlen)
+ goto toolong;
+ } else {
+ if (strlcat(ret, " msg", retlen) >= retlen)
+ goto toolong;
+ }
+
+ return;
+toolong:
+ strlcpy(ret, "toolong", retlen);
+}
+
+/*
+ * Print a FIDO device's attributes on stdout.
+ */
+static void
+print_attr(const fido_dev_t *dev)
+{
+ char flags_txt[128];
+
+ printf("proto: 0x%02x\n", fido_dev_protocol(dev));
+ printf("major: 0x%02x\n", fido_dev_major(dev));
+ printf("minor: 0x%02x\n", fido_dev_minor(dev));
+ printf("build: 0x%02x\n", fido_dev_build(dev));
+
+ format_flags(flags_txt, sizeof(flags_txt), fido_dev_flags(dev));
+ printf("caps: 0x%02x (%s)\n", fido_dev_flags(dev), flags_txt);
+}
+
+/*
+ * Auxiliary function to print an array of strings on stdout.
+ */
+static void
+print_str_array(const char *label, char * const *sa, size_t len)
+{
+ if (len == 0)
+ return;
+
+ printf("%s strings: ", label);
+
+ for (size_t i = 0; i < len; i++)
+ printf("%s%s", i > 0 ? ", " : "", sa[i]);
+
+ printf("\n");
+}
+
+/*
+ * Auxiliary function to print (char *, bool) pairs on stdout.
+ */
+static void
+print_opt_array(const char *label, char * const *name, const bool *value,
+ size_t len)
+{
+ if (len == 0)
+ return;
+
+ printf("%s: ", label);
+
+ for (size_t i = 0; i < len; i++)
+ printf("%s%s%s", i > 0 ? ", " : "",
+ value[i] ? "" : "no", name[i]);
+
+ printf("\n");
+}
+
+/*
+ * Auxiliary function to print (char *, uint64_t) pairs on stdout.
+ */
+static void
+print_cert_array(const char *label, char * const *name, const uint64_t *value,
+ size_t len)
+{
+ if (len == 0)
+ return;
+
+ printf("%s: ", label);
+
+ for (size_t i = 0; i < len; i++)
+ printf("%s%s %llu", i > 0 ? ", " : "", name[i],
+ (unsigned long long)value[i]);
+
+ printf("\n");
+}
+
+/*
+ * Auxiliary function to print a list of supported COSE algorithms on stdout.
+ */
+static void
+print_algorithms(const fido_cbor_info_t *ci)
+{
+ const char *cose, *type;
+ size_t len;
+
+ if ((len = fido_cbor_info_algorithm_count(ci)) == 0)
+ return;
+
+ printf("algorithms: ");
+
+ for (size_t i = 0; i < len; i++) {
+ cose = type = "unknown";
+ switch (fido_cbor_info_algorithm_cose(ci, i)) {
+ case COSE_ES256:
+ cose = "es256";
+ break;
+ case COSE_ES384:
+ cose = "es384";
+ break;
+ case COSE_RS256:
+ cose = "rs256";
+ break;
+ case COSE_EDDSA:
+ cose = "eddsa";
+ break;
+ }
+ if (fido_cbor_info_algorithm_type(ci, i) != NULL)
+ type = fido_cbor_info_algorithm_type(ci, i);
+ printf("%s%s (%s)", i > 0 ? ", " : "", cose, type);
+ }
+
+ printf("\n");
+}
+
+/*
+ * Auxiliary function to print an authenticator's AAGUID on stdout.
+ */
+static void
+print_aaguid(const unsigned char *buf, size_t buflen)
+{
+ printf("aaguid: ");
+
+ while (buflen--)
+ printf("%02x", *buf++);
+
+ printf("\n");
+}
+
+/*
+ * Auxiliary function to print an authenticator's maximum message size on
+ * stdout.
+ */
+static void
+print_maxmsgsiz(uint64_t maxmsgsiz)
+{
+ printf("maxmsgsiz: %d\n", (int)maxmsgsiz);
+}
+
+/*
+ * Auxiliary function to print an authenticator's maximum number of credentials
+ * in a credential list on stdout.
+ */
+static void
+print_maxcredcntlst(uint64_t maxcredcntlst)
+{
+ printf("maxcredcntlst: %d\n", (int)maxcredcntlst);
+}
+
+/*
+ * Auxiliary function to print an authenticator's maximum credential ID length
+ * on stdout.
+ */
+static void
+print_maxcredidlen(uint64_t maxcredidlen)
+{
+ printf("maxcredlen: %d\n", (int)maxcredidlen);
+}
+
+/*
+ * Auxiliary function to print the maximum size of an authenticator's
+ * serialized largeBlob array.
+ */
+static void
+print_maxlargeblob(uint64_t maxlargeblob)
+{
+ printf("maxlargeblob: %d\n", (int)maxlargeblob);
+}
+
+/*
+ * Auxiliary function to print the authenticator's estimated number of
+ * remaining resident credentials.
+ */
+static void
+print_rk_remaining(int64_t rk_remaining)
+{
+ printf("remaining rk(s): ");
+
+ if (rk_remaining == -1)
+ printf("undefined\n");
+ else
+ printf("%d\n", (int)rk_remaining);
+}
+
+/*
+ * Auxiliary function to print the minimum pin length observed by the
+ * authenticator.
+ */
+static void
+print_minpinlen(uint64_t minpinlen)
+{
+ printf("minpinlen: %d\n", (int)minpinlen);
+}
+
+/*
+ * Auxiliary function to print the authenticator's preferred (platform)
+ * UV attempts.
+ */
+static void
+print_uv_attempts(uint64_t uv_attempts)
+{
+ printf("platform uv attempt(s): %d\n", (int)uv_attempts);
+}
+
+/*
+ * Auxiliary function to print an authenticator's firmware version on stdout.
+ */
+static void
+print_fwversion(uint64_t fwversion)
+{
+ printf("fwversion: 0x%x\n", (int)fwversion);
+}
+
+/*
+ * Auxiliary function to print an array of bytes on stdout.
+ */
+static void
+print_byte_array(const char *label, const uint8_t *ba, size_t len)
+{
+ if (len == 0)
+ return;
+
+ printf("%s: ", label);
+
+ for (size_t i = 0; i < len; i++)
+ printf("%s%u", i > 0 ? ", " : "", (unsigned)ba[i]);
+
+ printf("\n");
+}
+
+static void
+getinfo(const char *path)
+{
+ fido_dev_t *dev;
+ fido_cbor_info_t *ci;
+ int r;
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+ if ((r = fido_dev_open(dev, path)) != FIDO_OK)
+ errx(1, "fido_dev_open: %s (0x%x)", fido_strerr(r), r);
+
+ print_attr(dev);
+
+ if (fido_dev_is_fido2(dev) == false)
+ goto end;
+ if ((ci = fido_cbor_info_new()) == NULL)
+ errx(1, "fido_cbor_info_new");
+ if ((r = fido_dev_get_cbor_info(dev, ci)) != FIDO_OK)
+ errx(1, "fido_dev_get_cbor_info: %s (0x%x)", fido_strerr(r), r);
+
+ /* print supported protocol versions */
+ print_str_array("version", fido_cbor_info_versions_ptr(ci),
+ fido_cbor_info_versions_len(ci));
+
+ /* print supported extensions */
+ print_str_array("extension", fido_cbor_info_extensions_ptr(ci),
+ fido_cbor_info_extensions_len(ci));
+
+ /* print supported transports */
+ print_str_array("transport", fido_cbor_info_transports_ptr(ci),
+ fido_cbor_info_transports_len(ci));
+
+ /* print supported algorithms */
+ print_algorithms(ci);
+
+ /* print aaguid */
+ print_aaguid(fido_cbor_info_aaguid_ptr(ci),
+ fido_cbor_info_aaguid_len(ci));
+
+ /* print supported options */
+ print_opt_array("options", fido_cbor_info_options_name_ptr(ci),
+ fido_cbor_info_options_value_ptr(ci),
+ fido_cbor_info_options_len(ci));
+
+ /* print certifications */
+ print_cert_array("certifications", fido_cbor_info_certs_name_ptr(ci),
+ fido_cbor_info_certs_value_ptr(ci),
+ fido_cbor_info_certs_len(ci));
+
+ /* print firmware version */
+ print_fwversion(fido_cbor_info_fwversion(ci));
+
+ /* print maximum message size */
+ print_maxmsgsiz(fido_cbor_info_maxmsgsiz(ci));
+
+ /* print maximum number of credentials allowed in credential lists */
+ print_maxcredcntlst(fido_cbor_info_maxcredcntlst(ci));
+
+ /* print maximum length of a credential ID */
+ print_maxcredidlen(fido_cbor_info_maxcredidlen(ci));
+
+ /* print maximum length of largeBlob array */
+ print_maxlargeblob(fido_cbor_info_maxlargeblob(ci));
+
+ /* print number of remaining resident credentials */
+ print_rk_remaining(fido_cbor_info_rk_remaining(ci));
+
+ /* print minimum pin length */
+ print_minpinlen(fido_cbor_info_minpinlen(ci));
+
+ /* print supported pin protocols */
+ print_byte_array("pin protocols", fido_cbor_info_protocols_ptr(ci),
+ fido_cbor_info_protocols_len(ci));
+
+ /* print whether a new pin is required */
+ printf("pin change required: %s\n",
+ fido_cbor_info_new_pin_required(ci) ? "true" : "false");
+
+ /* print platform uv attempts */
+ print_uv_attempts(fido_cbor_info_uv_attempts(ci));
+
+ fido_cbor_info_free(&ci);
+end:
+ if ((r = fido_dev_close(dev)) != FIDO_OK)
+ errx(1, "fido_dev_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+}
+
+int
+main(int argc, char **argv)
+{
+ if (argc != 2) {
+ fprintf(stderr, "usage: info <device>\n");
+ exit(EXIT_FAILURE);
+ }
+
+ getinfo(argv[1]);
+
+ exit(0);
+}
diff --git a/examples/manifest.c b/examples/manifest.c
new file mode 100644
index 0000000..c2b3bf1
--- /dev/null
+++ b/examples/manifest.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2018 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <fido.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+
+int
+main(void)
+{
+ fido_dev_info_t *devlist;
+ size_t ndevs;
+ int r;
+
+ fido_init(0);
+
+ if ((devlist = fido_dev_info_new(64)) == NULL)
+ errx(1, "fido_dev_info_new");
+
+ if ((r = fido_dev_info_manifest(devlist, 64, &ndevs)) != FIDO_OK)
+ errx(1, "fido_dev_info_manifest: %s (0x%x)", fido_strerr(r), r);
+
+ for (size_t i = 0; i < ndevs; i++) {
+ const fido_dev_info_t *di = fido_dev_info_ptr(devlist, i);
+ printf("%s: vendor=0x%04x, product=0x%04x (%s %s)\n",
+ fido_dev_info_path(di),
+ (uint16_t)fido_dev_info_vendor(di),
+ (uint16_t)fido_dev_info_product(di),
+ fido_dev_info_manufacturer_string(di),
+ fido_dev_info_product_string(di));
+ }
+
+ fido_dev_info_free(&devlist, ndevs);
+
+ exit(0);
+}
diff --git a/examples/reset.c b/examples/reset.c
new file mode 100644
index 0000000..767a162
--- /dev/null
+++ b/examples/reset.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2018-2021 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * Perform a factory reset on a given authenticator.
+ */
+
+#include <fido.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+#include "extern.h"
+
+int
+main(int argc, char **argv)
+{
+ fido_dev_t *dev;
+ int r;
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: reset <device>\n");
+ exit(EXIT_FAILURE);
+ }
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+
+ if ((r = fido_dev_open(dev, argv[1])) != FIDO_OK)
+ errx(1, "fido_dev_open: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_reset(dev)) != FIDO_OK) {
+ fido_dev_cancel(dev);
+ errx(1, "fido_dev_reset: %s (0x%x)", fido_strerr(r), r);
+ }
+
+ if ((r = fido_dev_close(dev)) != FIDO_OK)
+ errx(1, "fido_dev_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+
+ exit(0);
+}
diff --git a/examples/retries.c b/examples/retries.c
new file mode 100644
index 0000000..a0610fe
--- /dev/null
+++ b/examples/retries.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2018 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * Get an authenticator's number of PIN attempts left.
+ */
+
+#include <fido.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+
+int
+main(int argc, char **argv)
+{
+ fido_dev_t *dev;
+ int n;
+ int r;
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: retries <device>\n");
+ exit(EXIT_FAILURE);
+ }
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+
+ if ((r = fido_dev_open(dev, argv[1])) != FIDO_OK)
+ errx(1, "fido_open: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_get_retry_count(dev, &n)) != FIDO_OK)
+ errx(1, "fido_dev_get_retry_count: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_close(dev)) != FIDO_OK)
+ errx(1, "fido_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+
+ printf("%d\n", n);
+
+ exit(0);
+}
diff --git a/examples/select.c b/examples/select.c
new file mode 100644
index 0000000..008eb2e
--- /dev/null
+++ b/examples/select.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 2020-2022 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <errno.h>
+#include <fido.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+
+#define FIDO_POLL_MS 50
+
+#if defined(_MSC_VER)
+static int
+nanosleep(const struct timespec *rqtp, struct timespec *rmtp)
+{
+ if (rmtp != NULL) {
+ errno = EINVAL;
+ return (-1);
+ }
+
+ Sleep((DWORD)(rqtp->tv_sec * 1000) + (DWORD)(rqtp->tv_nsec / 1000000));
+
+ return (0);
+}
+#endif
+
+static fido_dev_t *
+open_dev(const fido_dev_info_t *di)
+{
+ fido_dev_t *dev;
+ int r;
+
+ if ((dev = fido_dev_new()) == NULL) {
+ warnx("%s: fido_dev_new", __func__);
+ return (NULL);
+ }
+
+ if ((r = fido_dev_open(dev, fido_dev_info_path(di))) != FIDO_OK) {
+ warnx("%s: fido_dev_open %s: %s", __func__,
+ fido_dev_info_path(di), fido_strerr(r));
+ fido_dev_free(&dev);
+ return (NULL);
+ }
+
+ printf("%s (0x%04x:0x%04x) is %s\n", fido_dev_info_path(di),
+ fido_dev_info_vendor(di), fido_dev_info_product(di),
+ fido_dev_is_fido2(dev) ? "fido2" : "u2f");
+
+ return (dev);
+}
+
+static int
+select_dev(const fido_dev_info_t *devlist, size_t ndevs, fido_dev_t **dev,
+ size_t *idx, int secs)
+{
+ const fido_dev_info_t *di;
+ fido_dev_t **devtab;
+ struct timespec ts_start;
+ struct timespec ts_now;
+ struct timespec ts_delta;
+ struct timespec ts_pause;
+ size_t nopen = 0;
+ int touched;
+ int r;
+ long ms_remain;
+
+ *dev = NULL;
+ *idx = 0;
+
+ printf("%u authenticator(s) detected\n", (unsigned)ndevs);
+
+ if (ndevs == 0)
+ return (0); /* nothing to do */
+
+ if ((devtab = calloc(ndevs, sizeof(*devtab))) == NULL) {
+ warn("%s: calloc", __func__);
+ return (-1);
+ }
+
+ for (size_t i = 0; i < ndevs; i++) {
+ di = fido_dev_info_ptr(devlist, i);
+ if ((devtab[i] = open_dev(di)) != NULL) {
+ *idx = i;
+ nopen++;
+ }
+ }
+
+ printf("%u authenticator(s) opened\n", (unsigned)nopen);
+
+ if (nopen < 2) {
+ if (nopen == 1)
+ *dev = devtab[*idx]; /* single candidate */
+ r = 0;
+ goto out;
+ }
+
+ for (size_t i = 0; i < ndevs; i++) {
+ di = fido_dev_info_ptr(devlist, i);
+ if (devtab[i] == NULL)
+ continue; /* failed to open */
+ if ((r = fido_dev_get_touch_begin(devtab[i])) != FIDO_OK) {
+ warnx("%s: fido_dev_get_touch_begin %s: %s", __func__,
+ fido_dev_info_path(di), fido_strerr(r));
+ r = -1;
+ goto out;
+ }
+ }
+
+ if (clock_gettime(CLOCK_MONOTONIC, &ts_start) != 0) {
+ warn("%s: clock_gettime", __func__);
+ r = -1;
+ goto out;
+ }
+
+ ts_pause.tv_sec = 0;
+ ts_pause.tv_nsec = 200000000; /* 200ms */
+
+ do {
+ nanosleep(&ts_pause, NULL);
+
+ for (size_t i = 0; i < ndevs; i++) {
+ di = fido_dev_info_ptr(devlist, i);
+ if (devtab[i] == NULL) {
+ /* failed to open or discarded */
+ continue;
+ }
+ if ((r = fido_dev_get_touch_status(devtab[i], &touched,
+ FIDO_POLL_MS)) != FIDO_OK) {
+ warnx("%s: fido_dev_get_touch_status %s: %s",
+ __func__, fido_dev_info_path(di),
+ fido_strerr(r));
+ fido_dev_close(devtab[i]);
+ fido_dev_free(&devtab[i]);
+ continue; /* discard */
+ }
+ if (touched) {
+ *dev = devtab[i];
+ *idx = i;
+ r = 0;
+ goto out;
+ }
+ }
+
+ if (clock_gettime(CLOCK_MONOTONIC, &ts_now) != 0) {
+ warn("%s: clock_gettime", __func__);
+ r = -1;
+ goto out;
+ }
+
+ timespecsub(&ts_now, &ts_start, &ts_delta);
+ ms_remain = (secs * 1000) - ((long)ts_delta.tv_sec * 1000) +
+ ((long)ts_delta.tv_nsec / 1000000);
+ } while (ms_remain > FIDO_POLL_MS);
+
+ printf("timeout after %d seconds\n", secs);
+ r = -1;
+out:
+ if (r != 0) {
+ *dev = NULL;
+ *idx = 0;
+ }
+
+ for (size_t i = 0; i < ndevs; i++) {
+ if (devtab[i] && devtab[i] != *dev) {
+ fido_dev_cancel(devtab[i]);
+ fido_dev_close(devtab[i]);
+ fido_dev_free(&devtab[i]);
+ }
+ }
+
+ free(devtab);
+
+ return (r);
+}
+
+int
+main(void)
+{
+ const fido_dev_info_t *di;
+ fido_dev_info_t *devlist;
+ fido_dev_t *dev;
+ size_t idx;
+ size_t ndevs;
+ int r;
+
+ fido_init(0);
+
+ if ((devlist = fido_dev_info_new(64)) == NULL)
+ errx(1, "fido_dev_info_new");
+
+ if ((r = fido_dev_info_manifest(devlist, 64, &ndevs)) != FIDO_OK)
+ errx(1, "fido_dev_info_manifest: %s (0x%x)", fido_strerr(r), r);
+ if (select_dev(devlist, ndevs, &dev, &idx, 15) != 0)
+ errx(1, "select_dev");
+ if (dev == NULL)
+ errx(1, "no authenticator found");
+
+ di = fido_dev_info_ptr(devlist, idx);
+ printf("%s: %s by %s (PIN %sset)\n", fido_dev_info_path(di),
+ fido_dev_info_product_string(di),
+ fido_dev_info_manufacturer_string(di),
+ fido_dev_has_pin(dev) ? "" : "un");
+
+ fido_dev_close(dev);
+ fido_dev_free(&dev);
+ fido_dev_info_free(&devlist, ndevs);
+
+ exit(0);
+}
diff --git a/examples/setpin.c b/examples/setpin.c
new file mode 100644
index 0000000..72e08e4
--- /dev/null
+++ b/examples/setpin.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2018 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * Configure a PIN on a given authenticator.
+ */
+
+#include <fido.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../openbsd-compat/openbsd-compat.h"
+
+static void
+setpin(const char *path, const char *pin, const char *oldpin)
+{
+ fido_dev_t *dev;
+ int r;
+
+ fido_init(0);
+
+ if ((dev = fido_dev_new()) == NULL)
+ errx(1, "fido_dev_new");
+
+ if ((r = fido_dev_open(dev, path)) != FIDO_OK)
+ errx(1, "fido_dev_open: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_set_pin(dev, pin, oldpin)) != FIDO_OK)
+ errx(1, "fido_dev_set_pin: %s (0x%x)", fido_strerr(r), r);
+
+ if ((r = fido_dev_close(dev)) != FIDO_OK)
+ errx(1, "fido_dev_close: %s (0x%x)", fido_strerr(r), r);
+
+ fido_dev_free(&dev);
+}
+
+int
+main(int argc, char **argv)
+{
+ if (argc < 3 || argc > 4) {
+ fprintf(stderr, "usage: setpin <pin> [oldpin] <device>\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (argc == 3)
+ setpin(argv[2], argv[1], NULL);
+ else
+ setpin(argv[3], argv[1], argv[2]);
+
+ exit(0);
+}
diff --git a/examples/util.c b/examples/util.c
new file mode 100644
index 0000000..0c0c77a
--- /dev/null
+++ b/examples/util.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include <fido.h>
+#include <fido/es256.h>
+#include <fido/es384.h>
+#include <fido/rs256.h>
+#include <fido/eddsa.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef _MSC_VER
+#include "../openbsd-compat/posix_win.h"
+#endif
+#include "../openbsd-compat/openbsd-compat.h"
+#include "extern.h"
+
+int
+base10(const char *str, long long *ll)
+{
+ char *ep;
+
+ *ll = strtoll(str, &ep, 10);
+ if (str == ep || *ep != '\0')
+ return (-1);
+ else if (*ll == LLONG_MIN && errno == ERANGE)
+ return (-1);
+ else if (*ll == LLONG_MAX && errno == ERANGE)
+ return (-1);
+
+ return (0);
+}
+
+int
+write_blob(const char *path, const unsigned char *ptr, size_t len)
+{
+ int fd, ok = -1;
+ ssize_t n;
+
+ if ((fd = open(path, O_WRONLY | O_CREAT, 0600)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+
+ if ((n = write(fd, ptr, len)) < 0) {
+ warn("write");
+ goto fail;
+ }
+ if ((size_t)n != len) {
+ warnx("write");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ if (fd != -1) {
+ close(fd);
+ }
+
+ return (ok);
+}
+
+int
+read_blob(const char *path, unsigned char **ptr, size_t *len)
+{
+ int fd, ok = -1;
+ struct stat st;
+ ssize_t n;
+
+ *ptr = NULL;
+ *len = 0;
+
+ if ((fd = open(path, O_RDONLY)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+ if (fstat(fd, &st) < 0) {
+ warn("stat %s", path);
+ goto fail;
+ }
+ if (st.st_size < 0) {
+ warnx("stat %s: invalid size", path);
+ goto fail;
+ }
+ *len = (size_t)st.st_size;
+ if ((*ptr = malloc(*len)) == NULL) {
+ warn("malloc");
+ goto fail;
+ }
+ if ((n = read(fd, *ptr, *len)) < 0) {
+ warn("read");
+ goto fail;
+ }
+ if ((size_t)n != *len) {
+ warnx("read");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ if (fd != -1) {
+ close(fd);
+ }
+ if (ok < 0) {
+ free(*ptr);
+ *ptr = NULL;
+ *len = 0;
+ }
+
+ return (ok);
+}
+
+EC_KEY *
+read_ec_pubkey(const char *path)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ EC_KEY *ec = NULL;
+
+ if ((fp = fopen(path, "r")) == NULL) {
+ warn("fopen");
+ goto fail;
+ }
+
+ if ((pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL)) == NULL) {
+ warnx("PEM_read_PUBKEY");
+ goto fail;
+ }
+ if ((ec = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
+ warnx("EVP_PKEY_get1_EC_KEY");
+ goto fail;
+ }
+
+fail:
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (ec);
+}
+
+int
+write_es256_pubkey(const char *path, const void *ptr, size_t len)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ es256_pk_t *pk = NULL;
+ int fd = -1;
+ int ok = -1;
+
+ if ((pk = es256_pk_new()) == NULL) {
+ warnx("es256_pk_new");
+ goto fail;
+ }
+
+ if (es256_pk_from_ptr(pk, ptr, len) != FIDO_OK) {
+ warnx("es256_pk_from_ptr");
+ goto fail;
+ }
+
+ if ((fd = open(path, O_WRONLY | O_CREAT, 0644)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+
+ if ((fp = fdopen(fd, "w")) == NULL) {
+ warn("fdopen");
+ goto fail;
+ }
+ fd = -1; /* owned by fp now */
+
+ if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL) {
+ warnx("es256_pk_to_EVP_PKEY");
+ goto fail;
+ }
+
+ if (PEM_write_PUBKEY(fp, pkey) == 0) {
+ warnx("PEM_write_PUBKEY");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ es256_pk_free(&pk);
+
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (fd != -1) {
+ close(fd);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (ok);
+}
+
+int
+write_es384_pubkey(const char *path, const void *ptr, size_t len)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ es384_pk_t *pk = NULL;
+ int fd = -1;
+ int ok = -1;
+
+ if ((pk = es384_pk_new()) == NULL) {
+ warnx("es384_pk_new");
+ goto fail;
+ }
+
+ if (es384_pk_from_ptr(pk, ptr, len) != FIDO_OK) {
+ warnx("es384_pk_from_ptr");
+ goto fail;
+ }
+
+ if ((fd = open(path, O_WRONLY | O_CREAT, 0644)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+
+ if ((fp = fdopen(fd, "w")) == NULL) {
+ warn("fdopen");
+ goto fail;
+ }
+ fd = -1; /* owned by fp now */
+
+ if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL) {
+ warnx("es384_pk_to_EVP_PKEY");
+ goto fail;
+ }
+
+ if (PEM_write_PUBKEY(fp, pkey) == 0) {
+ warnx("PEM_write_PUBKEY");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ es384_pk_free(&pk);
+
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (fd != -1) {
+ close(fd);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (ok);
+}
+
+RSA *
+read_rsa_pubkey(const char *path)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ RSA *rsa = NULL;
+
+ if ((fp = fopen(path, "r")) == NULL) {
+ warn("fopen");
+ goto fail;
+ }
+
+ if ((pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL)) == NULL) {
+ warnx("PEM_read_PUBKEY");
+ goto fail;
+ }
+ if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
+ warnx("EVP_PKEY_get1_RSA");
+ goto fail;
+ }
+
+fail:
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (rsa);
+}
+
+int
+write_rs256_pubkey(const char *path, const void *ptr, size_t len)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ rs256_pk_t *pk = NULL;
+ int fd = -1;
+ int ok = -1;
+
+ if ((pk = rs256_pk_new()) == NULL) {
+ warnx("rs256_pk_new");
+ goto fail;
+ }
+
+ if (rs256_pk_from_ptr(pk, ptr, len) != FIDO_OK) {
+ warnx("rs256_pk_from_ptr");
+ goto fail;
+ }
+
+ if ((fd = open(path, O_WRONLY | O_CREAT, 0644)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+
+ if ((fp = fdopen(fd, "w")) == NULL) {
+ warn("fdopen");
+ goto fail;
+ }
+ fd = -1; /* owned by fp now */
+
+ if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL) {
+ warnx("rs256_pk_to_EVP_PKEY");
+ goto fail;
+ }
+
+ if (PEM_write_PUBKEY(fp, pkey) == 0) {
+ warnx("PEM_write_PUBKEY");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ rs256_pk_free(&pk);
+
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (fd != -1) {
+ close(fd);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (ok);
+}
+
+EVP_PKEY *
+read_eddsa_pubkey(const char *path)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ if ((fp = fopen(path, "r")) == NULL) {
+ warn("fopen");
+ goto fail;
+ }
+
+ if ((pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL)) == NULL) {
+ warnx("PEM_read_PUBKEY");
+ goto fail;
+ }
+
+fail:
+ if (fp) {
+ fclose(fp);
+ }
+
+ return (pkey);
+}
+
+int
+write_eddsa_pubkey(const char *path, const void *ptr, size_t len)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pkey = NULL;
+ eddsa_pk_t *pk = NULL;
+ int fd = -1;
+ int ok = -1;
+
+ if ((pk = eddsa_pk_new()) == NULL) {
+ warnx("eddsa_pk_new");
+ goto fail;
+ }
+
+ if (eddsa_pk_from_ptr(pk, ptr, len) != FIDO_OK) {
+ warnx("eddsa_pk_from_ptr");
+ goto fail;
+ }
+
+ if ((fd = open(path, O_WRONLY | O_CREAT, 0644)) < 0) {
+ warn("open %s", path);
+ goto fail;
+ }
+
+ if ((fp = fdopen(fd, "w")) == NULL) {
+ warn("fdopen");
+ goto fail;
+ }
+ fd = -1; /* owned by fp now */
+
+ if ((pkey = eddsa_pk_to_EVP_PKEY(pk)) == NULL) {
+ warnx("eddsa_pk_to_EVP_PKEY");
+ goto fail;
+ }
+
+ if (PEM_write_PUBKEY(fp, pkey) == 0) {
+ warnx("PEM_write_PUBKEY");
+ goto fail;
+ }
+
+ ok = 0;
+fail:
+ eddsa_pk_free(&pk);
+
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ if (fd != -1) {
+ close(fd);
+ }
+ if (pkey != NULL) {
+ EVP_PKEY_free(pkey);
+ }
+
+ return (ok);
+}