From 6dde0da4dd32cfa07d3a13bc5582c6143aa5ee40 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 19 Jun 2024 11:20:31 +0200
Subject: Merging upstream version 1.15.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 man/CMakeLists.txt           |  6 +++++-
 man/fido_cred_new.3          | 44 ++++++++++++++++++++++++++++++++++++++++++--
 man/fido_cred_set_authdata.3 | 28 ++++++++++++++++++++++++++--
 3 files changed, 73 insertions(+), 5 deletions(-)

(limited to 'man')

diff --git a/man/CMakeLists.txt b/man/CMakeLists.txt
index 6616e4e..e83a9d7 100644
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -186,6 +186,9 @@ list(APPEND MAN_ALIAS
 	fido_cred_new fido_cred_user_id_ptr
 	fido_cred_new fido_cred_user_name
 	fido_cred_new fido_cred_x5c_len
+	fido_cred_new fido_cred_x5c_list_count
+	fido_cred_new fido_cred_x5c_list_len
+	fido_cred_new fido_cred_x5c_list_ptr
 	fido_cred_new fido_cred_x5c_ptr
 	fido_cred_verify fido_cred_verify_self
 	fido_credman_metadata_new fido_credman_del_dev_rk
@@ -208,6 +211,7 @@ list(APPEND MAN_ALIAS
 	fido_credman_metadata_new fido_credman_rp_new
 	fido_credman_metadata_new fido_credman_set_dev_rk
 	fido_cred_set_authdata fido_cred_set_attstmt
+	fido_cred_set_authdata fido_cred_set_attobj
 	fido_cred_set_authdata fido_cred_set_authdata_raw
 	fido_cred_set_authdata fido_cred_set_blob
 	fido_cred_set_authdata fido_cred_set_clientdata
@@ -393,7 +397,7 @@ if(GZIP_PATH)
 		install(FILES ${PROJECT_BINARY_DIR}/man/${DST}.3.gz
 			DESTINATION "${CMAKE_INSTALL_MANDIR}/man3")
 	endforeach()
-elseif(NOT MSVC)
+else()
 	add_dependencies(man man_symlink)
 	foreach(f ${MAN_SOURCES})
 		if (${f} MATCHES ".1$")
diff --git a/man/fido_cred_new.3 b/man/fido_cred_new.3
index 4f8b1be..32ce768 100644
--- a/man/fido_cred_new.3
+++ b/man/fido_cred_new.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved.
+.\" Copyright (c) 2018-2024 Yubico AB. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions are
@@ -47,6 +47,8 @@
 .Nm fido_cred_pubkey_ptr ,
 .Nm fido_cred_sig_ptr ,
 .Nm fido_cred_user_id_ptr ,
+.Nm fido_cred_x5c_list_count ,
+.Nm fido_cred_x5c_list_ptr ,
 .Nm fido_cred_x5c_ptr ,
 .Nm fido_cred_attstmt_ptr ,
 .Nm fido_cred_authdata_len ,
@@ -58,6 +60,7 @@
 .Nm fido_cred_pubkey_len ,
 .Nm fido_cred_sig_len ,
 .Nm fido_cred_user_id_len ,
+.Nm fido_cred_x5c_list_len ,
 .Nm fido_cred_x5c_len ,
 .Nm fido_cred_attstmt_len ,
 .Nm fido_cred_type ,
@@ -102,6 +105,10 @@
 .Fn fido_cred_sig_ptr "const fido_cred_t *cred"
 .Ft const unsigned char *
 .Fn fido_cred_user_id_ptr "const fido_cred_t *cred"
+.Ft size_t
+.Fn fido_cred_x5c_list_count "const fido_cred_t *cred"
+.Ft const unsigned char *
+.Fn fido_cred_x5c_list_ptr "const fido_cred_t *cred" "size_t idx"
 .Ft const unsigned char *
 .Fn fido_cred_x5c_ptr "const fido_cred_t *cred"
 .Ft const unsigned char *
@@ -125,6 +132,8 @@
 .Ft size_t
 .Fn fido_cred_user_id_len "const fido_cred_t *cred"
 .Ft size_t
+.Fn fido_cred_x5c_list_len "const fido_cred_t *cred" "size_t idx"
+.Ft size_t
 .Fn fido_cred_x5c_len "const fido_cred_t *cred"
 .Ft size_t
 .Fn fido_cred_attstmt_len "const fido_cred_t *cred"
@@ -246,7 +255,7 @@ and
 functions return pointers to the CBOR-encoded and raw authenticator
 data, client data hash, ID, authenticator attestation GUID,
 .Dq largeBlobKey ,
-public key, signature, user ID, x509 certificate, and attestation
+public key, signature, user ID, x509 leaf certificate, and attestation
 statement parts of
 .Fa cred ,
 or NULL if the respective entry is not set.
@@ -265,6 +274,37 @@ The corresponding length can be obtained by
 and
 .Fn fido_cred_attstmt_len .
 .Pp
+The
+.Fn fido_cred_x5c_list_count
+function returns the length of the x509 certificate chain in
+.Fa cred
+and the
+.Fn fido_cred_x5c_list_ptr
+and
+.Fn fido_cred_x5c_list_len
+functions return a pointer to and length of the x509 certificate at index
+.Fa idx
+respectively.
+Please note that the leaf certificate has an
+.Fa idx
+(index) value of 0 and calling
+.Fn fido_cred_x5c_list_ptr cred 0
+and
+.Fn fido_cred_x5c_list_len cred 0
+is equivalent to
+.Fn fido_cred_x5c_ptr cred
+and
+.Fn fido_cred_x5c_len cred
+respectively.
+If
+.Fa idx
+exceeds the return value of
+.Fn fido_cred_x5c_list_count ,
+.Fn fido_cred_x5c_list_ptr
+returns NULL and
+.Fn fido_cred_x5c_list_len
+returns 0.
+.Pp
 The authenticator data, x509 certificate, and signature parts of a
 credential are typically passed to a FIDO2 server for verification.
 .Pp
diff --git a/man/fido_cred_set_authdata.3 b/man/fido_cred_set_authdata.3
index e453832..ba3507f 100644
--- a/man/fido_cred_set_authdata.3
+++ b/man/fido_cred_set_authdata.3
@@ -32,6 +32,7 @@
 .Nm fido_cred_set_authdata ,
 .Nm fido_cred_set_authdata_raw ,
 .Nm fido_cred_set_attstmt ,
+.Nm fido_cred_set_attobj ,
 .Nm fido_cred_set_x509 ,
 .Nm fido_cred_set_sig ,
 .Nm fido_cred_set_id ,
@@ -64,6 +65,8 @@ typedef enum {
 .Ft int
 .Fn fido_cred_set_attstmt "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
 .Ft int
+.Fn fido_cred_set_attobj "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
+.Ft int
 .Fn fido_cred_set_x509 "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
 .Ft int
 .Fn fido_cred_set_sig "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
@@ -110,14 +113,15 @@ of its constituent parts, please refer to the Web Authentication
 The
 .Fn fido_cred_set_authdata ,
 .Fn fido_cred_set_attstmt ,
+.Fn fido_cred_set_attobj ,
 .Fn fido_cred_set_x509 ,
 .Fn fido_cred_set_sig ,
 .Fn fido_cred_set_id ,
 and
 .Fn fido_cred_set_clientdata_hash
 functions set the authenticator data, attestation statement,
-attestation certificate, attestation signature, id, and client
-data hash parts of
+attestation object, attestation certificate, attestation signature,
+id, and client data hash parts of
 .Fa cred
 to
 .Fa ptr ,
@@ -157,6 +161,26 @@ The latter two are meant to be used in contexts where the
 credential's complete attestation statement is not available or
 required.
 .Pp
+The attestation object passed to
+.Fn fido_cred_set_attobj
+must be a CBOR-encoded map containing
+.Dq authData ,
+.Dq fmt ,
+and
+.Dq attStmt .
+An application calling
+.Fn fido_cred_set_attobj
+does not need to call
+.Fn fido_cred_set_fmt ,
+.Fn fido_cred_set_attstmt ,
+.Fn fido_cred_set_authdata ,
+or
+.Fn fido_cred_set_authdata_raw .
+.Fn fido_cred_set_attobj
+may be useful in applications interfacing with the WebAuthn API,
+removing the need to first parse the attestation object to verify the
+credential.
+.Pp
 The
 .Fn fido_cred_set_clientdata
 function allows an application to set the client data hash of
-- 
cgit v1.2.3