50#define CTAP_PIN_AUTH_SZ 16
57#define CTAP_AUTH_DATA_FLAG_UP (1 << 0)
58#define CTAP_AUTH_DATA_FLAG_UV (1 << 2)
59#define CTAP_AUTH_DATA_FLAG_AT (1 << 6)
60#define CTAP_AUTH_DATA_FLAG_ED (1 << 7)
68#define CTAP_VERSION_FLAG_FIDO_PRE 0x01
69#define CTAP_VERSION_FLAG_FIDO 0x02
70#define CTAP_VERSION_FLAG_U2F_V2 0x04
80#define CTAP_GET_INFO_RESP_OPTIONS_ID_PLAT "plat"
81#define CTAP_GET_INFO_RESP_OPTIONS_ID_RK "rk"
82#define CTAP_GET_INFO_RESP_OPTIONS_ID_CLIENT_PIN "clientPin"
83#define CTAP_GET_INFO_RESP_OPTIONS_ID_UP "up"
84#define CTAP_GET_INFO_RESP_OPTIONS_ID_UV "uv"
92#define CTAP_INFO_OPTIONS_FLAG_PLAT (1 << 0)
93#define CTAP_INFO_OPTIONS_FLAG_RK (1 << 1)
94#define CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN (1 << 2)
95#define CTAP_INFO_OPTIONS_FLAG_UP (1 << 3)
96#define CTAP_INFO_OPTIONS_FLAG_UV (1 << 4)
116#ifdef CONFIG_FIDO2_CTAP_STACK_SIZE
117#define CTAP_STACKSIZE CONFIG_FIDO2_CTAP_STACK_SIZE
119#define CTAP_STACKSIZE 15000
125#if defined(CONFIG_FIDO2_CTAP_UP_BUTTON_PORT) && defined(CONFIG_FIDO2_CTAP_UP_BUTTON_PIN) && \
126 (CONFIG_FIDO2_CTAP_UP_BUTTON_PORT >= 0) && (CONFIG_FIDO2_CTAP_UP_BUTTON_PIN >= 0)
127#define CTAP_UP_BUTTON GPIO_PIN(CONFIG_FIDO2_CTAP_UP_BUTTON_PORT, CONFIG_FIDO2_CTAP_UP_BUTTON_PIN)
131#define CTAP_UP_BUTTON BTN0_PIN
133#define CTAP_UP_BUTTON 0
137#define CONFIG_FIDO2_CTAP_DISABLE_UP 1
144#if IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_MODE_IN_PU)
145#define CTAP_UP_BUTTON_MODE GPIO_IN_PU
146#elif IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_MODE_IN_PD)
147#define CTAP_UP_BUTTON_MODE GPIO_IN_PD
148#elif IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_MODE_IN)
149#define CTAP_UP_BUTTON_MODE GPIO_IN
151#define CTAP_UP_BUTTON_MODE GPIO_IN_PU
157#if IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_FLANK_FALLING)
158#define CTAP_UP_BUTTON_FLANK GPIO_FALLING
159#elif IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_FLANK_RISING)
160#define CTAP_UP_BUTTON_FLANK GPIO_RISING
161#elif IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_FLANK_BOTH)
162#define CTAP_UP_BUTTON_FLANK GPIO_BOTH
164#define CTAP_UP_BUTTON_FLANK GPIO_FALLING
170#ifndef CONFIG_FIDO2_CTAP_DISABLE_UP
171#define CONFIG_FIDO2_CTAP_DISABLE_UP 0
177#ifndef CONFIG_FIDO2_CTAP_DISABLE_LED
178#define CONFIG_FIDO2_CTAP_DISABLE_LED 0
184#define CTAP_RP_MAX_NAME_SIZE 32
189#define CTAP_USER_MAX_NAME_SIZE 64 + 1
194#define CTAP_USER_ID_MAX_SIZE 64
199#define CTAP_DOMAIN_NAME_MAX_SIZE 253 + 1
204#define CTAP_ICON_MAX_SIZE 128 + 1
209#define CTAP_PIN_MIN_SIZE 4
217#define CTAP_PIN_ENC_MIN_SIZE 64
223#define CTAP_PIN_ENC_MAX_SIZE 256
228#define CTAP_PIN_MAX_SIZE 64
233#define CTAP_PIN_MAX_ATTS 8
238#define CTAP_PIN_MAX_ATTS_BOOT 3
243#define CTAP_PIN_PROT_VER 1
248#define CTAP_AMT_SUP_PIN_VER 1
255#define CTAP_PIN_TOKEN_SZ 16
264#define CTAP_CRED_KEY_LEN 16
273#define CTAP_AES_CCM_L 2
278#define CTAP_AES_CCM_NONCE_SIZE (15 - CTAP_AES_CCM_L)
285#define CTAP_CREDENTIAL_ID_ENC_SIZE (sizeof(struct ctap_resident_key) - \
286 sizeof(((struct ctap_resident_key *)0)-> \
287 cred_desc.cred_id) - \
288 sizeof(((struct ctap_resident_key *)0)-> \
289 cred_desc.has_nonce))
294#ifdef CONFIG_FIDO2_CTAP_UP_TIMEOUT
295#define CTAP_UP_TIMEOUT (CONFIG_FIDO2_CTAP_UP_TIMEOUT * MS_PER_SEC)
297#define CTAP_UP_TIMEOUT (15 * MS_PER_SEC)
304#define CTAP_GET_NEXT_ASSERTION_TIMEOUT (30 * MS_PER_SEC)
309#ifdef CONFIG_FIDO2_CTAP_DEVICE_AAGUID
310#define CTAP_AAGUID CONFIG_FIDO2_CTAP_DEVICE_AAGUID
313#define CTAP_AAGUID "9c295865fa2c36b705a42320af9c8f16"
321#define CTAP_PUB_KEY_CRED_PUB_KEY 0x01
322#define CTAP_PUB_KEY_CRED_UNKNOWN 0x02
330#define CTAP_COSE_KEY_LABEL_KTY 1
331#define CTAP_COSE_KEY_LABEL_ALG 3
332#define CTAP_COSE_KEY_LABEL_CRV -1
333#define CTAP_COSE_KEY_LABEL_X -2
334#define CTAP_COSE_KEY_LABEL_Y -3
335#define CTAP_COSE_KEY_KTY_EC2 2
336#define CTAP_COSE_KEY_CRV_P256 1
342#define CTAP_AAGUID_SIZE 16
347#define CTAP_COSE_ALG_ES256 -7
352#define CTAP_COSE_ALG_ECDH_ES_HKDF_256 -25
358#define CTAP_CREDENTIAL_ID_SIZE 16U
366#define CTAP_INITIALIZED_MARKER 0x4e
371#define CTAP_MAX_EXCLUDE_LIST_SIZE 0x14
504typedef struct __attribute__((packed)) {
575typedef struct __attribute__((packed)){
595typedef struct __attribute__((packed)){
636 const uint8_t *client_data_hash,
638 uint8_t *sig,
size_t *sig_len);
POSIX.1-2008 compliant version of the assert macro.
Functionality for encoding SenML values as CBOR.
Counter with CBC-MAC mode of operation for block ciphers.
#define CCM_MAC_MAX_LEN
Maximum length for the appended MAC.
Public FIDO2 CTAP defines, structures and function declarations.
FIDO2 CTAP crypto helper defines, structures and function declarations.
#define CTAP_CRYPTO_KEY_SIZE
Size in bytes of cryptographic keys used.
bool fido2_ctap_cred_params_supported(uint8_t cred_type, int32_t alg_type)
Check if requested algorithm is supported.
#define CTAP_CREDENTIAL_ID_SIZE
CTAP size of credential id.
int fido2_ctap_encrypt_rk(ctap_resident_key_t *rk, uint8_t *nonce, size_t nonce_len, ctap_cred_id_t *id)
Encrypt resident key with AES CCM.
int fido2_ctap_get_sig(const uint8_t *auth_data, size_t auth_data_len, const uint8_t *client_data_hash, const ctap_resident_key_t *rk, uint8_t *sig, size_t *sig_len)
Create signature from authenticator data.
#define CTAP_CREDENTIAL_ID_ENC_SIZE
Total size of AES CCM credential id.
#define CTAP_PIN_AUTH_SZ
Size of pin auth.
struct ctap_resident_key ctap_resident_key_t
CTAP resident key credential forward declaration.
struct ctap_cred_desc_alt ctap_cred_desc_alt_t
Alternative CTAP cred struct forward declaration.
#define CTAP_RP_MAX_NAME_SIZE
Max size of relying party name.
#define CTAP_PIN_ENC_MAX_SIZE
Encrypted newPin max size.
ctap_pin_subcommand_t
CTAP Client PIN request subCommand CBOR key values.
#define CTAP_AAGUID_SIZE
CTAP size of authenticator AAGUID in bytes.
ctap_state_t * fido2_ctap_get_state(void)
Get a pointer to the authenticator state.
#define CTAP_DOMAIN_NAME_MAX_SIZE
Max size of a domain name including null character.
#define CTAP_MAX_EXCLUDE_LIST_SIZE
Max size of allow list.
struct ctap_cred_desc ctap_cred_desc_t
CTAP cred struct forward declaration.
#define CTAP_USER_ID_MAX_SIZE
Max size of user id.
bool fido2_ctap_pin_is_set(void)
Check if PIN has been set on authenticator.
#define CTAP_AES_CCM_NONCE_SIZE
AES CCM nonce size.
#define CTAP_USER_MAX_NAME_SIZE
Max size of username including null character.
#define CTAP_CRED_KEY_LEN
Size of key used to encrypt credential.
@ CTAP_PIN_SET_PIN
setPIN subCommand
@ CTAP_PIN_GET_PIN_TOKEN
getPinToken subCommand
@ CTAP_PIN_CHANGE_PIN
changePIN subCommand
@ CTAP_PIN_GET_KEY_AGREEMENT
getKeyAgreement subCommand
@ CTAP_PIN_GET_RETRIES
getRetries subCommand
#define SHA256_DIGEST_LENGTH
Length of SHA256 digests in bytes.
Mutex for thread synchronization.
CTAP attested credential data struct.
ctap_public_key_cose_t key
cose key
ctap_attested_cred_data_header_t header
attested credential data header
CTAP authenticator data struct.
ctap_attested_cred_data_t attested_cred_data
attested credential data
ctap_auth_data_header_t header
auth data header
CTAP client pin request struct.
bool key_agreement_present
indicate if key_agreement present
uint16_t new_pin_enc_size
size of encrypted new pin
uint8_t pin_auth[CTAP_PIN_AUTH_SZ]
first 16 bytes of HMAC-SHA-256 of encrypted contents
ctap_pin_subcommand_t sub_command
ClientPIN sub command.
ctap_public_key_cose_t key_agreement
public key of platform_key_agreement_key
bool pin_auth_present
indicate if pin_auth present
uint8_t pin_protocol
PIN protocol version chosen by the client.
uint8_t pin_hash_enc[SHA256_DIGEST_LENGTH/2]
Encrypted first 16 bytes of SHA-256 of PIN using sharedSecret.
bool pin_hash_enc_present
indicate pin_hash_enc is present
uint8_t new_pin_enc[CTAP_PIN_ENC_MAX_SIZE]
Encrypted new PIN using sharedSecret.
CTAP authenticator config struct.
uint8_t aaguid[CTAP_AAGUID_SIZE]
AAGUID of device.
CTAP credential description alternative struct.
uint8_t cred_type
type of credential
ctap_cred_id_t cred_id
credential id
CTAP credential description struct.
uint8_t cred_id[CTAP_CREDENTIAL_ID_SIZE]
credential identifier
uint8_t nonce[CTAP_AES_CCM_NONCE_SIZE]
CTAP AES CCM nonce.
uint8_t cred_type
type of credential
bool has_nonce
Indicate if nonce or cred_id.
uint8_t nonce[CTAP_AES_CCM_NONCE_SIZE]
AES CCM nonce.
uint8_t mac[CCM_MAC_MAX_LEN]
AES CCM MAC.
Elliptic curve public key.
CTAP get assertion request struct.
uint8_t rp_id[CTAP_DOMAIN_NAME_MAX_SIZE+1]
Relying Party Identifier.
uint8_t pin_protocol
PIN protocol version.
uint8_t client_data_hash[SHA256_DIGEST_LENGTH]
SHA-256 hash of JSON serialized client data.
bool pin_auth_present
indicate if pin_auth present
ctap_cred_desc_alt_t allow_list[CTAP_MAX_EXCLUDE_LIST_SIZE]
allow list
uint8_t pin_auth[CTAP_PIN_AUTH_SZ]
pin_auth if PIN is set
size_t pin_auth_len
pin_auth length
uint8_t rp_id_len
Actual Length of Relying Party Identifier.
uint8_t allow_list_len
length of CBOR allow list array
ctap_options_t options
parameters to influence authenticator operation
uint8_t aaguid[CTAP_AAGUID_SIZE]
AAGUID.
bool pin_is_set
PIN is set or not.
uint8_t options
supported options
uint8_t pin_protocol
supported PIN protocol versions
uint8_t versions
supported versions of FIDO
uint16_t max_msg_size
max message size
CTAP make credential request struct.
ctap_cred_desc_alt_t exclude_list[CTAP_MAX_EXCLUDE_LIST_SIZE]
exclude list
uint8_t pin_auth[CTAP_PIN_AUTH_SZ]
pin_auth if PIN is set
bool pin_auth_present
pin_auth present
int32_t alg_type
cryptographic algorithm identifier
uint8_t client_data_hash[SHA256_DIGEST_LENGTH]
SHA-256 hash of JSON serialized client data.
size_t exclude_list_len
length of CBOR exclude list array
ctap_rp_ent_t rp
relying party
size_t pin_auth_len
pin_auth len
uint8_t cred_type
type of credential
ctap_options_t options
parameters to influence authenticator operation
uint8_t pin_protocol
PIN protocol version.
int32_t alg_type
COSEAlgorithmIdentifier.
int kty
identification of key type
ctap_crypto_pub_key_t pubkey
public key
uint8_t cred_type
type of credential
CTAP resident key struct.
ctap_cred_desc_t cred_desc
credential descriptor
uint8_t user_id[CTAP_USER_ID_MAX_SIZE]
id of user
uint8_t priv_key[CTAP_CRYPTO_KEY_SIZE]
private key
uint32_t sign_count
signature counter.
uint8_t user_id_len
length of the user id
uint16_t id
internal id of key
uint8_t rp_id_hash[SHA256_DIGEST_LENGTH]
hash of rp domain string
CTAP relying party entity struct.
uint8_t id_len
actual length of relying party identifier
uint8_t icon[CTAP_DOMAIN_NAME_MAX_SIZE+1]
URL referencing relying party icon image.
uint8_t name[CTAP_RP_MAX_NAME_SIZE+1]
human friendly relying party name
uint16_t rk_amount_stored
total number of resident keys stored on device
uint8_t cred_key[CTAP_CRED_KEY_LEN]
AES CCM encryption key for cred.
int rem_pin_att
remaining PIN tries
bool pin_is_set
PIN is set or not.
ctap_config_t config
configuration of authenticator
bool cred_key_is_initialized
AES CCM key initialized flag.
uint8_t pin_hash[SHA256_DIGEST_LENGTH/2]
LEFT(SHA-256(pin), 16)
uint8_t initialized_marker
CTAP initialized marker.
ctap_crypto_key_agreement_key_t ag_key
Platform key agreement key.
uint32_t id_cnt
id counter for credential id
uint8_t display_name[CTAP_USER_MAX_NAME_SIZE]
user display name
uint8_t name[CTAP_USER_MAX_NAME_SIZE]
user name
uint8_t icon[CTAP_DOMAIN_NAME_MAX_SIZE]
URL referencing user icon image.
uint8_t id_len
actual length of user id
Utility library for comparing and computing timestamps.
1.13.2