- Generated on Mon Nov 3 2025 20:59:44 by
1.13.2
FIDO2 CTAP. More...
FIDO2 CTAP.
The Client-to-Authenticator Protocol (CTAP) is an application layer protocol for the communication between an authenticator and a host.
Files | |
| file | ctap.h |
| Internal FIDO2 CTAP defines, structures and function declarations. | |
Data Structures | |
| struct | ctap_config_t |
| CTAP authenticator config struct. More... | |
| struct | ctap_state_t |
| CTAP state struct. More... | |
| struct | ctap_options_t |
| CTAP options struct. More... | |
| struct | ctap_user_ent_t |
| CTAP user entity struct. More... | |
| struct | ctap_rp_ent_t |
| CTAP relying party entity struct. More... | |
| struct | ctap_public_key_cose_t |
| CTAP cose key struct. More... | |
| struct | ctap_cred_desc |
| CTAP credential description struct. More... | |
| struct | ctap_resident_key |
| CTAP resident key struct. More... | |
| struct | ctap_cred_id_t |
| CTAP credential ID. More... | |
| struct | ctap_cred_desc_alt |
| CTAP credential description alternative struct. More... | |
| struct | ctap_make_credential_req_t |
| CTAP make credential request struct. More... | |
| struct | ctap_get_assertion_req_t |
| CTAP get assertion request struct. More... | |
| struct | ctap_client_pin_req_t |
| CTAP client pin request struct. More... | |
| struct | ctap_attested_cred_data_header_t |
| CTAP attested credential data header struct. More... | |
| struct | ctap_attested_cred_data_t |
| CTAP attested credential data struct. More... | |
| struct | ctap_auth_data_header_t |
| CTAP authenticator data header struct. More... | |
| struct | ctap_auth_data_t |
| CTAP authenticator data struct. More... | |
| struct | ctap_info_t |
| CTAP info struct. More... | |
Macros | |
| #define | CTAP_PIN_AUTH_SZ 16 |
| Size of pin auth. | |
| #define | CTAP_STACKSIZE 15000 |
| CTAP thread stack size. | |
| #define | CTAP_UP_BUTTON 0 |
| CTAP user presence button. | |
| #define | CONFIG_FIDO2_CTAP_DISABLE_UP 1 |
| Disable user presence test configuration. | |
| #define | CTAP_UP_BUTTON_MODE GPIO_IN_PU |
| CTAP user presence button mode. | |
| #define | CTAP_UP_BUTTON_FLANK GPIO_FALLING |
| CTAP user presence button flank. | |
| #define | CONFIG_FIDO2_CTAP_DISABLE_LED 0 |
| Disable user presence test configuration. | |
| #define | CTAP_RP_MAX_NAME_SIZE 32 |
| Max size of relying party name. | |
| #define | CTAP_USER_MAX_NAME_SIZE 64 + 1 |
| Max size of username including null character. | |
| #define | CTAP_USER_ID_MAX_SIZE 64 |
| Max size of user id. | |
| #define | CTAP_DOMAIN_NAME_MAX_SIZE 253 + 1 |
| Max size of a domain name including null character. | |
| #define | CTAP_ICON_MAX_SIZE 128 + 1 |
| Max size of icon including null character. | |
| #define | CTAP_PIN_MIN_SIZE 4 |
| PIN min size. | |
| #define | CTAP_PIN_ENC_MIN_SIZE 64 |
| Encrypted newPin min size. | |
| #define | CTAP_PIN_ENC_MAX_SIZE 256 |
| Encrypted newPin max size. | |
| #define | CTAP_PIN_MAX_SIZE 64 |
| PIN max size. | |
| #define | CTAP_PIN_MAX_ATTS 8 |
| Max total consecutive incorrect PIN attempts. | |
| #define | CTAP_PIN_MAX_ATTS_BOOT 3 |
| Max consecutive incorrect PIN attempts for 1 boot cycle. | |
| #define | CTAP_PIN_PROT_VER 1 |
| PIN protocol version. | |
| #define | CTAP_AMT_SUP_PIN_VER 1 |
| Total number of supported PIN protocol versions. | |
| #define | CTAP_PIN_TOKEN_SZ 16 |
| Size of pin token. | |
| #define | CTAP_CRED_KEY_LEN 16 |
| Size of key used to encrypt credential. | |
| #define | CTAP_AES_CCM_L 2 |
| AES_CCM_L parameter. | |
| #define | CTAP_AES_CCM_NONCE_SIZE (15 - CTAP_AES_CCM_L) |
| AES CCM nonce size. | |
| #define | CTAP_CREDENTIAL_ID_ENC_SIZE |
| Total size of AES CCM credential id. | |
| #define | CTAP_UP_TIMEOUT (15 * MS_PER_SEC) |
| Timeout for user presence test. | |
| #define | CTAP_GET_NEXT_ASSERTION_TIMEOUT (30 * MS_PER_SEC) |
| Max time between call to get_assertion or get_next_assertion until error is returned. | |
| #define | CTAP_AAGUID "9c295865fa2c36b705a42320af9c8f16" |
| 128 bit identifier of authenticator | |
| #define | CTAP_AAGUID_SIZE 16 |
| CTAP size of authenticator AAGUID in bytes. | |
| #define | CTAP_COSE_ALG_ES256 -7 |
| CTAP COSE Algorithms registry identifier for ES256. | |
| #define | CTAP_COSE_ALG_ECDH_ES_HKDF_256 -25 |
| CTAP COSE Algorithms registry identifier for ECDH ES HKDF 256. | |
| #define | CTAP_CREDENTIAL_ID_SIZE 16U |
| CTAP size of credential id. | |
| #define | CTAP_INITIALIZED_MARKER 0x4e |
| CTAP state initialized marker. | |
| #define | CTAP_MAX_EXCLUDE_LIST_SIZE 0x14 |
| Max size of allow list. | |
Typedefs | |
| typedef struct ctap_cred_desc | ctap_cred_desc_t |
| CTAP cred struct forward declaration. | |
| typedef struct ctap_cred_desc_alt | ctap_cred_desc_alt_t |
| Alternative CTAP cred struct forward declaration. | |
| typedef struct ctap_resident_key | ctap_resident_key_t |
| CTAP resident key credential forward declaration. | |
Functions | |
| int | fido2_ctap_get_sig (const uint8_t *auth_data, size_t auth_data_len, const uint8_t *client_data_hash, const ctap_resident_key_t *rk, uint8_t *sig, size_t *sig_len) |
| Create signature from authenticator data. | |
| bool | fido2_ctap_cred_params_supported (uint8_t cred_type, int32_t alg_type) |
| Check if requested algorithm is supported. | |
| int | fido2_ctap_encrypt_rk (ctap_resident_key_t *rk, uint8_t *nonce, size_t nonce_len, ctap_cred_id_t *id) |
| Encrypt resident key with AES CCM. | |
| bool | fido2_ctap_pin_is_set (void) |
| Check if PIN has been set on authenticator. | |
| ctap_state_t * | fido2_ctap_get_state (void) |
| Get a pointer to the authenticator state. | |
| enum | ctap_pin_subcommand_t { CTAP_PIN_GET_RETRIES = 0x01 , CTAP_PIN_GET_KEY_AGREEMENT = 0x02 , CTAP_PIN_SET_PIN = 0x03 , CTAP_PIN_CHANGE_PIN = 0x04 , CTAP_PIN_GET_PIN_TOKEN = 0x05 } |
| CTAP Client PIN request subCommand CBOR key values. More... | |
CTAP authenticator data option flags | |
| #define | CTAP_AUTH_DATA_FLAG_UP (1 << 0) |
| user present | |
| #define | CTAP_AUTH_DATA_FLAG_UV (1 << 2) |
| user verified | |
| #define | CTAP_AUTH_DATA_FLAG_AT (1 << 6) |
| attested credential data included | |
| #define | CTAP_AUTH_DATA_FLAG_ED (1 << 7) |
| extension data included | |
CTAP version flags | |
| #define | CTAP_VERSION_FLAG_FIDO_PRE 0x01 |
| FIDO 2.1 flag. | |
| #define | CTAP_VERSION_FLAG_FIDO 0x02 |
| FIDO 2 flag. | |
| #define | CTAP_VERSION_FLAG_U2F_V2 0x04 |
| U2F V2 flag. | |
CTAP get info response options map CBOR key values | |
All options are in the form key-value pairs with string IDs and boolean values | |
| #define | CTAP_GET_INFO_RESP_OPTIONS_ID_PLAT "plat" |
| platform device string | |
| #define | CTAP_GET_INFO_RESP_OPTIONS_ID_RK "rk" |
| resident key string | |
| #define | CTAP_GET_INFO_RESP_OPTIONS_ID_CLIENT_PIN "clientPin" |
| client PIN string | |
| #define | CTAP_GET_INFO_RESP_OPTIONS_ID_UP "up" |
| user presence string | |
| #define | CTAP_GET_INFO_RESP_OPTIONS_ID_UV "uv" |
| user verification string | |
CTAP get info options flags | |
| #define | CTAP_INFO_OPTIONS_FLAG_PLAT (1 << 0) |
| platform device flag | |
| #define | CTAP_INFO_OPTIONS_FLAG_RK (1 << 1) |
| resident key flag | |
| #define | CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN (1 << 2) |
| clientPIN flag | |
| #define | CTAP_INFO_OPTIONS_FLAG_UP (1 << 3) |
| user presence flag | |
| #define | CTAP_INFO_OPTIONS_FLAG_UV (1 << 4) |
| user verification flag | |
CTAP credential types | |
| #define | CTAP_PUB_KEY_CRED_PUB_KEY 0x01 |
| public key credential type | |
| #define | CTAP_PUB_KEY_CRED_UNKNOWN 0x02 |
| unknown credential type | |
CTAP COSE key CBOR map key values | |
| #define | CTAP_COSE_KEY_LABEL_KTY 1 |
| key type identifier | |
| #define | CTAP_COSE_KEY_LABEL_ALG 3 |
| algorithm identifier | |
| #define | CTAP_COSE_KEY_LABEL_CRV -1 |
| elliptic curve identifier | |
| #define | CTAP_COSE_KEY_LABEL_X -2 |
| x coordinate | |
| #define | CTAP_COSE_KEY_LABEL_Y -3 |
| y coordinate | |
| #define | CTAP_COSE_KEY_KTY_EC2 2 |
| 2 coordinate elliptic curve key identifier | |
| #define | CTAP_COSE_KEY_CRV_P256 1 |
| secp256r1 elliptic curve key identifier | |
| #define CONFIG_FIDO2_CTAP_DISABLE_LED 0 |
| #define CONFIG_FIDO2_CTAP_DISABLE_UP 1 |
| #define CTAP_AAGUID "9c295865fa2c36b705a42320af9c8f16" |
| #define CTAP_AAGUID_SIZE 16 |
| #define CTAP_AES_CCM_L 2 |
| #define CTAP_AES_CCM_NONCE_SIZE (15 - CTAP_AES_CCM_L) |
| #define CTAP_AMT_SUP_PIN_VER 1 |
| #define CTAP_AUTH_DATA_FLAG_AT (1 << 6) |
| #define CTAP_AUTH_DATA_FLAG_ED (1 << 7) |
| #define CTAP_COSE_ALG_ECDH_ES_HKDF_256 -25 |
| #define CTAP_COSE_ALG_ES256 -7 |
| #define CTAP_COSE_KEY_CRV_P256 1 |
| #define CTAP_COSE_KEY_KTY_EC2 2 |
| #define CTAP_CRED_KEY_LEN 16 |
| #define CTAP_CREDENTIAL_ID_ENC_SIZE |
Total size of AES CCM credential id.
Size of encrypted resident key = resident key - cred id - has_nonce
| #define CTAP_CREDENTIAL_ID_SIZE 16U |
| #define CTAP_DOMAIN_NAME_MAX_SIZE 253 + 1 |
| #define CTAP_GET_INFO_RESP_OPTIONS_ID_CLIENT_PIN "clientPin" |
| #define CTAP_GET_INFO_RESP_OPTIONS_ID_PLAT "plat" |
| #define CTAP_GET_INFO_RESP_OPTIONS_ID_RK "rk" |
| #define CTAP_GET_INFO_RESP_OPTIONS_ID_UP "up" |
| #define CTAP_GET_INFO_RESP_OPTIONS_ID_UV "uv" |
| #define CTAP_GET_NEXT_ASSERTION_TIMEOUT (30 * MS_PER_SEC) |
| #define CTAP_ICON_MAX_SIZE 128 + 1 |
| #define CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN (1 << 2) |
| #define CTAP_INFO_OPTIONS_FLAG_PLAT (1 << 0) |
| #define CTAP_INFO_OPTIONS_FLAG_UV (1 << 4) |
| #define CTAP_INITIALIZED_MARKER 0x4e |
| #define CTAP_MAX_EXCLUDE_LIST_SIZE 0x14 |
| #define CTAP_PIN_AUTH_SZ 16 |
| #define CTAP_PIN_ENC_MIN_SIZE 64 |
| #define CTAP_PIN_MAX_ATTS 8 |
| #define CTAP_PIN_MAX_ATTS_BOOT 3 |
| #define CTAP_PIN_TOKEN_SZ 16 |
| #define CTAP_PUB_KEY_CRED_PUB_KEY 0x01 |
| #define CTAP_PUB_KEY_CRED_UNKNOWN 0x02 |
| #define CTAP_RP_MAX_NAME_SIZE 32 |
| #define CTAP_UP_BUTTON_FLANK GPIO_FALLING |
| #define CTAP_UP_BUTTON_MODE GPIO_IN_PU |
| #define CTAP_UP_TIMEOUT (15 * MS_PER_SEC) |
| #define CTAP_USER_MAX_NAME_SIZE 64 + 1 |
| typedef struct ctap_cred_desc_alt ctap_cred_desc_alt_t |
| typedef struct ctap_cred_desc ctap_cred_desc_t |
| typedef struct ctap_resident_key ctap_resident_key_t |
| bool fido2_ctap_cred_params_supported | ( | uint8_t | cred_type, |
| int32_t | alg_type ) |
Check if requested algorithm is supported.
| [in] | cred_type | type of credential |
| [in] | alg_type | cryptographic algorithm identifier |
| int fido2_ctap_encrypt_rk | ( | ctap_resident_key_t * | rk, |
| uint8_t * | nonce, | ||
| size_t | nonce_len, | ||
| ctap_cred_id_t * | id ) |
Encrypt resident key with AES CCM.
| [in] | rk | type of credential |
| [in] | nonce | CCM nonce |
| [in] | nonce_len | length of nonce |
| [in] | id | credential id struct storing encrypted resident key |
| int fido2_ctap_get_sig | ( | const uint8_t * | auth_data, |
| size_t | auth_data_len, | ||
| const uint8_t * | client_data_hash, | ||
| const ctap_resident_key_t * | rk, | ||
| uint8_t * | sig, | ||
| size_t * | sig_len ) |
Create signature from authenticator data.
Used for attestation and assertion statement.
| [in] | auth_data | authenticator data |
| [in] | auth_data_len | length of auth_data |
| [in] | client_data_hash | hash of client data sent by relying party in request |
| [in] | rk | resident key used to sign the data |
| [in] | sig | signature buffer |
| [in] | sig_len | length of sig |
| ctap_state_t * fido2_ctap_get_state | ( | void | ) |
Get a pointer to the authenticator state.
| bool fido2_ctap_pin_is_set | ( | void | ) |
Check if PIN has been set on authenticator.
1.13.2