FIDO2 CTAP. More...
FIDO2 CTAP.
The Client-to-Authenticator Protocol (CTAP) is an application layer protocol for the communication between an authenticator and a host.
Files | |
file | ctap.h |
Internal FIDO2 CTAP defines, structures and function declarations. | |
Data Structures | |
struct | ctap_config_t |
CTAP authenticator config struct. More... | |
struct | ctap_state_t |
CTAP state struct. More... | |
struct | ctap_options_t |
CTAP options struct. More... | |
struct | ctap_user_ent_t |
CTAP user entity struct. More... | |
struct | ctap_rp_ent_t |
CTAP relying party entity struct. More... | |
struct | ctap_public_key_cose_t |
CTAP cose key struct. More... | |
struct | ctap_cred_desc |
CTAP credential description struct. More... | |
struct | ctap_resident_key |
CTAP resident key struct. More... | |
struct | ctap_cred_id_t |
CTAP credential ID. More... | |
struct | ctap_cred_desc_alt |
CTAP credential description alternative struct. More... | |
struct | ctap_make_credential_req_t |
CTAP make credential request struct. More... | |
struct | ctap_get_assertion_req_t |
CTAP get assertion request struct. More... | |
struct | ctap_client_pin_req_t |
CTAP client pin request struct. More... | |
struct | ctap_attested_cred_data_header_t |
CTAP attested credential data header struct. More... | |
struct | ctap_attested_cred_data_t |
CTAP attested credential data struct. More... | |
struct | ctap_auth_data_header_t |
CTAP authenticator data header struct. More... | |
struct | ctap_auth_data_t |
CTAP authenticator data struct. More... | |
struct | ctap_info_t |
CTAP info struct. More... | |
Macros | |
#define | CTAP_PIN_AUTH_SZ 16 |
Size of pin auth. | |
#define | CTAP_STACKSIZE 15000 |
CTAP thread stack size. | |
#define | CTAP_UP_BUTTON 0 |
CTAP user presence button. | |
#define | CONFIG_FIDO2_CTAP_DISABLE_UP 1 |
Disable user presence test configuration. | |
#define | CTAP_UP_BUTTON_MODE GPIO_IN_PU |
CTAP user presence button mode. | |
#define | CTAP_UP_BUTTON_FLANK GPIO_FALLING |
CTAP user presence button flank. | |
#define | CONFIG_FIDO2_CTAP_DISABLE_LED 0 |
Disable user presence test configuration. | |
#define | CTAP_RP_MAX_NAME_SIZE 32 |
Max size of relying party name. | |
#define | CTAP_USER_MAX_NAME_SIZE 64 + 1 |
Max size of username including null character. | |
#define | CTAP_USER_ID_MAX_SIZE 64 |
Max size of user id. | |
#define | CTAP_DOMAIN_NAME_MAX_SIZE 253 + 1 |
Max size of a domain name including null character. | |
#define | CTAP_ICON_MAX_SIZE 128 + 1 |
Max size of icon including null character. | |
#define | CTAP_PIN_MIN_SIZE 4 |
PIN min size. | |
#define | CTAP_PIN_ENC_MIN_SIZE 64 |
Encrypted newPin min size. | |
#define | CTAP_PIN_ENC_MAX_SIZE 256 |
Encrypted newPin max size. | |
#define | CTAP_PIN_MAX_SIZE 64 |
PIN max size. | |
#define | CTAP_PIN_MAX_ATTS 8 |
Max total consecutive incorrect PIN attempts. | |
#define | CTAP_PIN_MAX_ATTS_BOOT 3 |
Max consecutive incorrect PIN attempts for 1 boot cycle. | |
#define | CTAP_PIN_PROT_VER 1 |
PIN protocol version. | |
#define | CTAP_AMT_SUP_PIN_VER 1 |
Total number of supported PIN protocol versions. | |
#define | CTAP_PIN_TOKEN_SZ 16 |
Size of pin token. | |
#define | CTAP_CRED_KEY_LEN 16 |
Size of key used to encrypt credential. | |
#define | CTAP_AES_CCM_L 2 |
AES_CCM_L parameter. | |
#define | CTAP_AES_CCM_NONCE_SIZE (15 - CTAP_AES_CCM_L) |
AES CCM nonce size. | |
#define | CTAP_CREDENTIAL_ID_ENC_SIZE |
Total size of AES CCM credential id. | |
#define | CTAP_UP_TIMEOUT (15 * MS_PER_SEC) |
Timeout for user presence test. | |
#define | CTAP_GET_NEXT_ASSERTION_TIMEOUT (30 * MS_PER_SEC) |
Max time between call to get_assertion or get_next_assertion until error is returned. | |
#define | CTAP_AAGUID "9c295865fa2c36b705a42320af9c8f16" |
128 bit identifier of authenticator | |
#define | CTAP_AAGUID_SIZE 16 |
CTAP size of authenticator AAGUID in bytes. | |
#define | CTAP_COSE_ALG_ES256 -7 |
CTAP COSE Algorithms registry identifier for ES256. | |
#define | CTAP_COSE_ALG_ECDH_ES_HKDF_256 -25 |
CTAP COSE Algorithms registry identifier for ECDH ES HKDF 256. | |
#define | CTAP_CREDENTIAL_ID_SIZE 16U |
CTAP size of credential id. | |
#define | CTAP_INITIALIZED_MARKER 0x4e |
CTAP state initialized marker. | |
#define | CTAP_MAX_EXCLUDE_LIST_SIZE 0x14 |
Max size of allow list. | |
Typedefs | |
typedef struct ctap_cred_desc | ctap_cred_desc_t |
CTAP cred struct forward declaration. | |
typedef struct ctap_cred_desc_alt | ctap_cred_desc_alt_t |
Alternative CTAP cred struct forward declaration. | |
typedef struct ctap_resident_key | ctap_resident_key_t |
CTAP resident key credential forward declaration. | |
Functions | |
int | fido2_ctap_get_sig (const uint8_t *auth_data, size_t auth_data_len, const uint8_t *client_data_hash, const ctap_resident_key_t *rk, uint8_t *sig, size_t *sig_len) |
Create signature from authenticator data. | |
bool | fido2_ctap_cred_params_supported (uint8_t cred_type, int32_t alg_type) |
Check if requested algorithm is supported. | |
int | fido2_ctap_encrypt_rk (ctap_resident_key_t *rk, uint8_t *nonce, size_t nonce_len, ctap_cred_id_t *id) |
Encrypt resident key with AES CCM. | |
bool | fido2_ctap_pin_is_set (void) |
Check if PIN has been set on authenticator. | |
ctap_state_t * | fido2_ctap_get_state (void) |
Get a pointer to the authenticator state. | |
enum | ctap_pin_subcommand_t { CTAP_PIN_GET_RETRIES = 0x01 , CTAP_PIN_GET_KEY_AGREEMENT = 0x02 , CTAP_PIN_SET_PIN = 0x03 , CTAP_PIN_CHANGE_PIN = 0x04 , CTAP_PIN_GET_PIN_TOKEN = 0x05 } |
CTAP Client PIN request subCommand CBOR key values. More... | |
CTAP authenticator data option flags | |
#define | CTAP_AUTH_DATA_FLAG_UP (1 << 0) |
user present | |
#define | CTAP_AUTH_DATA_FLAG_UV (1 << 2) |
user verified | |
#define | CTAP_AUTH_DATA_FLAG_AT (1 << 6) |
attested credential data included | |
#define | CTAP_AUTH_DATA_FLAG_ED (1 << 7) |
extension data included | |
CTAP version flags | |
#define | CTAP_VERSION_FLAG_FIDO_PRE 0x01 |
FIDO 2.1 flag. | |
#define | CTAP_VERSION_FLAG_FIDO 0x02 |
FIDO 2 flag. | |
#define | CTAP_VERSION_FLAG_U2F_V2 0x04 |
U2F V2 flag. | |
CTAP get info response options map CBOR key values | |
All options are in the form key-value pairs with string IDs and boolean values | |
#define | CTAP_GET_INFO_RESP_OPTIONS_ID_PLAT "plat" |
platform device string | |
#define | CTAP_GET_INFO_RESP_OPTIONS_ID_RK "rk" |
resident key string | |
#define | CTAP_GET_INFO_RESP_OPTIONS_ID_CLIENT_PIN "clientPin" |
client PIN string | |
#define | CTAP_GET_INFO_RESP_OPTIONS_ID_UP "up" |
user presence string | |
#define | CTAP_GET_INFO_RESP_OPTIONS_ID_UV "uv" |
user verification string | |
CTAP get info options flags | |
#define | CTAP_INFO_OPTIONS_FLAG_PLAT (1 << 0) |
platform device flag | |
#define | CTAP_INFO_OPTIONS_FLAG_RK (1 << 1) |
resident key flag | |
#define | CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN (1 << 2) |
clientPIN flag | |
#define | CTAP_INFO_OPTIONS_FLAG_UP (1 << 3) |
user presence flag | |
#define | CTAP_INFO_OPTIONS_FLAG_UV (1 << 4) |
user verification flag | |
CTAP credential types | |
#define | CTAP_PUB_KEY_CRED_PUB_KEY 0x01 |
public key credential type | |
#define | CTAP_PUB_KEY_CRED_UNKNOWN 0x02 |
unknown credential type | |
CTAP COSE key CBOR map key values | |
#define | CTAP_COSE_KEY_LABEL_KTY 1 |
key type identifier | |
#define | CTAP_COSE_KEY_LABEL_ALG 3 |
algorithm identifier | |
#define | CTAP_COSE_KEY_LABEL_CRV -1 |
elliptic curve identifier | |
#define | CTAP_COSE_KEY_LABEL_X -2 |
x coordinate | |
#define | CTAP_COSE_KEY_LABEL_Y -3 |
y coordinate | |
#define | CTAP_COSE_KEY_KTY_EC2 2 |
2 coordinate elliptic curve key identifier | |
#define | CTAP_COSE_KEY_CRV_P256 1 |
secp256r1 elliptic curve key identifier | |
#define CONFIG_FIDO2_CTAP_DISABLE_LED 0 |
#define CONFIG_FIDO2_CTAP_DISABLE_UP 1 |
#define CTAP_AAGUID "9c295865fa2c36b705a42320af9c8f16" |
#define CTAP_AAGUID_SIZE 16 |
#define CTAP_AES_CCM_L 2 |
#define CTAP_AES_CCM_NONCE_SIZE (15 - CTAP_AES_CCM_L) |
#define CTAP_AMT_SUP_PIN_VER 1 |
#define CTAP_AUTH_DATA_FLAG_AT (1 << 6) |
#define CTAP_AUTH_DATA_FLAG_ED (1 << 7) |
#define CTAP_COSE_ALG_ECDH_ES_HKDF_256 -25 |
#define CTAP_COSE_ALG_ES256 -7 |
#define CTAP_COSE_KEY_CRV_P256 1 |
#define CTAP_COSE_KEY_KTY_EC2 2 |
#define CTAP_CRED_KEY_LEN 16 |
#define CTAP_CREDENTIAL_ID_ENC_SIZE |
Total size of AES CCM credential id.
Size of encrypted resident key = resident key - cred id - has_nonce
#define CTAP_CREDENTIAL_ID_SIZE 16U |
#define CTAP_DOMAIN_NAME_MAX_SIZE 253 + 1 |
#define CTAP_GET_INFO_RESP_OPTIONS_ID_CLIENT_PIN "clientPin" |
#define CTAP_GET_INFO_RESP_OPTIONS_ID_PLAT "plat" |
#define CTAP_GET_INFO_RESP_OPTIONS_ID_RK "rk" |
#define CTAP_GET_INFO_RESP_OPTIONS_ID_UP "up" |
#define CTAP_GET_INFO_RESP_OPTIONS_ID_UV "uv" |
#define CTAP_GET_NEXT_ASSERTION_TIMEOUT (30 * MS_PER_SEC) |
#define CTAP_ICON_MAX_SIZE 128 + 1 |
#define CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN (1 << 2) |
#define CTAP_INFO_OPTIONS_FLAG_PLAT (1 << 0) |
#define CTAP_INFO_OPTIONS_FLAG_UV (1 << 4) |
#define CTAP_INITIALIZED_MARKER 0x4e |
#define CTAP_MAX_EXCLUDE_LIST_SIZE 0x14 |
#define CTAP_PIN_AUTH_SZ 16 |
#define CTAP_PIN_ENC_MIN_SIZE 64 |
#define CTAP_PIN_MAX_ATTS 8 |
#define CTAP_PIN_MAX_ATTS_BOOT 3 |
#define CTAP_PIN_TOKEN_SZ 16 |
#define CTAP_PUB_KEY_CRED_PUB_KEY 0x01 |
#define CTAP_PUB_KEY_CRED_UNKNOWN 0x02 |
#define CTAP_RP_MAX_NAME_SIZE 32 |
#define CTAP_UP_BUTTON_FLANK GPIO_FALLING |
#define CTAP_UP_BUTTON_MODE GPIO_IN_PU |
#define CTAP_UP_TIMEOUT (15 * MS_PER_SEC) |
#define CTAP_USER_MAX_NAME_SIZE 64 + 1 |
typedef struct ctap_cred_desc_alt ctap_cred_desc_alt_t |
typedef struct ctap_cred_desc ctap_cred_desc_t |
typedef struct ctap_resident_key ctap_resident_key_t |
bool fido2_ctap_cred_params_supported | ( | uint8_t | cred_type, |
int32_t | alg_type | ||
) |
Check if requested algorithm is supported.
[in] | cred_type | type of credential |
[in] | alg_type | cryptographic algorithm identifier |
int fido2_ctap_encrypt_rk | ( | ctap_resident_key_t * | rk, |
uint8_t * | nonce, | ||
size_t | nonce_len, | ||
ctap_cred_id_t * | id | ||
) |
Encrypt resident key with AES CCM.
[in] | rk | type of credential |
[in] | nonce | CCM nonce |
[in] | nonce_len | length of nonce |
[in] | id | credential id struct storing encrypted resident key |
int fido2_ctap_get_sig | ( | const uint8_t * | auth_data, |
size_t | auth_data_len, | ||
const uint8_t * | client_data_hash, | ||
const ctap_resident_key_t * | rk, | ||
uint8_t * | sig, | ||
size_t * | sig_len | ||
) |
Create signature from authenticator data.
Used for attestation and assertion statement.
[in] | auth_data | authenticator data |
[in] | auth_data_len | length of auth_data |
[in] | client_data_hash | hash of client data sent by relying party in request |
[in] | rk | resident key used to sign the data |
[in] | sig | signature buffer |
[in] | sig_len | length of sig |
ctap_state_t * fido2_ctap_get_state | ( | void | ) |
Get a pointer to the authenticator state.
bool fido2_ctap_pin_is_set | ( | void | ) |
Check if PIN has been set on authenticator.