1FIDO2-ASSERT(1)           BSD General Commands Manual          FIDO2-ASSERT(1)
2

NAME

4     fido2-assert — get/verify a FIDO 2 assertion
5

SYNOPSIS

7     fido2-assert -G [-dhpruv] [-t option] [-i input_file] [-o output_file]
8                  device
9     fido2-assert -V [-dhpv] [-i input_file] key_file [type]
10

DESCRIPTION

12     fido2-assert gets or verifies a FIDO 2 assertion.
13
14     The input of fido2-assert is defined by the parameters of the assertion
15     to be obtained/verified.  See the INPUT FORMAT section for details.
16
17     The output of fido2-assert is defined by the result of the selected oper‐
18     ation.  See the OUTPUT FORMAT section for details.
19
20     If an assertion is successfully obtained or verified, fido2-assert exits
21     0.  Otherwise, fido2-assert exits 1.
22
23     The options are as follows:
24
25     -G      Tells fido2-assert to obtain a new assertion from device.
26
27     -V      Tells fido2-assert to verify an assertion using the PEM-encoded
28             public key in key_file of type type, where type may be es256 (de‐
29             noting ECDSA over NIST P-256 with SHA-256), rs256 (denoting
30             2048-bit RSA with PKCS#1.5 padding and SHA-256), or eddsa (denot‐
31             ing EDDSA over Curve25519 with SHA-512).  If type is not speci‐
32             fied, es256 is assumed.
33
34     -h      If obtaining an assertion, enable the FIDO2 hmac-secret exten‐
35             sion.  If verifying an assertion, check whether the extension
36             data bit was signed by the authenticator.
37
38     -d      Causes fido2-assert to emit debugging output on stderr.
39
40     -i input_file
41             Tells fido2-assert to read the parameters of the assertion from
42             input_file instead of stdin.
43
44     -o output_file
45             Tells fido2-assert to write output on output_file instead of
46             stdout.
47
48     -p      If obtaining an assertion, request user presence.  If verifying
49             an assertion, check whether the user presence bit was signed by
50             the authenticator.
51
52     -r      Obtain an assertion using a resident credential.  If -r is speci‐
53             fied, fido2-assert will not expect a credential id in its input,
54             and may output multiple assertions.  Resident credentials are
55             called “discoverable credentials” in FIDO2.1.
56
57     -t option
58             Toggles a key/value option, where option is a string of the form
59             “key=value”.  The options supported at present are:
60
61             up=true|false
62                     Asks the authenticator for user presence to be enabled or
63                     disabled.
64
65             uv=true|false
66                     Asks the authenticator for user verification to be en‐
67                     abled or disabled.
68
69             pin=true|false
70                     Tells fido2-assert whether to prompt for a PIN and re‐
71                     quest user verification.
72
73             The -t option may be specified multiple times.
74
75     -u      Obtain an assertion using U2F.  By default, fido2-assert will use
76             FIDO2 if supported by the authenticator, and fallback to U2F oth‐
77             erwise.
78
79     -v      If obtaining an assertion, prompt the user for a PIN and request
80             user verification from the authenticator.  If verifying an asser‐
81             tion, check whether the user verification bit was signed by the
82             authenticator.
83
84     If a tty is available, fido2-assert will use it to obtain the PIN.  Oth‐
85     erwise, stdin is used.
86

INPUT FORMAT

88     The input of fido2-assert consists of base64 blobs and UTF-8 strings sep‐
89     arated by newline characters ('\n').
90
91     When obtaining an assertion, fido2-assert expects its input to consist
92     of:
93
94           1.   client data hash (base64 blob);
95           2.   relying party id (UTF-8 string);
96           3.   credential id, if credential not resident (base64 blob);
97           4.   hmac salt, if the FIDO2 hmac-secret extension is enabled
98                (base64 blob);
99
100     When verifying an assertion, fido2-assert expects its input to consist
101     of:
102
103           1.   client data hash (base64 blob);
104           2.   relying party id (UTF-8 string);
105           3.   authenticator data (base64 blob);
106           4.   assertion signature (base64 blob);
107
108     UTF-8 strings passed to fido2-assert must not contain embedded newline or
109     NUL characters.
110

OUTPUT FORMAT

112     The output of fido2-assert consists of base64 blobs and UTF-8 strings
113     separated by newline characters ('\n').
114
115     For each generated assertion, fido2-assert outputs:
116
117           1.   client data hash (base64 blob);
118           2.   relying party id (UTF-8 string);
119           3.   authenticator data (base64 blob);
120           4.   assertion signature (base64 blob);
121           5.   user id, if credential resident (base64 blob);
122           6.   hmac secret, if the FIDO2 hmac-secret extension is enabled
123                (base64 blob);
124
125     When verifying an assertion, fido2-assert produces no output.
126

EXAMPLES

128     Assuming cred contains a es256 credential created according to the steps
129     outlined in fido2-cred(1), obtain an assertion from an authenticator at
130     /dev/hidraw5 and verify it:
131
132           $ echo assertion challenge | openssl sha256 -binary | base64 >
133           assert_param
134           $ echo relying party >> assert_param
135           $ head -1 cred >> assert_param
136           $ tail -n +2 cred > pubkey
137           $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V
138           pubkey es256
139

SEE ALSO

141     fido2-cred(1), fido2-token(1)
142
143BSD                            November 5, 2019                            BSD
Impressum