1 .\" Copyright (c) 2020 Yubico AB. All rights reserved.
3 .\" Redistribution and use in source and binary forms, with or without
4 .\" modification, are permitted provided that the following conditions are
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in
11 .\" the documentation and/or other materials provided with the
14 .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 .\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 .\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 .\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 .\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 .\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 .\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 .\" SPDX-License-Identifier: BSD-2-Clause
28 .Dd $Mdocdate: October 26 2020 $
29 .Dt FIDO_LARGEBLOB_GET 3
32 .Nm fido_dev_largeblob_get ,
33 .Nm fido_dev_largeblob_set ,
34 .Nm fido_dev_largeblob_remove ,
35 .Nm fido_dev_largeblob_get_array ,
36 .Nm fido_dev_largeblob_set_array
37 .Nd FIDO2 large blob API
41 .Fn fido_dev_largeblob_get "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "unsigned char **blob_ptr" "size_t *blob_len"
43 .Fn fido_dev_largeblob_set "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "const unsigned char *blob_ptr" "size_t blob_len" "const char *pin"
45 .Fn fido_dev_largeblob_remove "fido_dev_t *dev" "const unsigned char *key_ptr" "size_t key_len" "const char *pin"
47 .Fn fido_dev_largeblob_get_array "fido_dev_t *dev" "unsigned char **cbor_ptr" "size_t *cbor_len"
49 .Fn fido_dev_largeblob_set_array "fido_dev_t *dev" "const unsigned char *cbor_ptr" "size_t cbor_len" "const char *pin"
55 allows binary blobs residing on a CTAP 2.1 authenticator to be
56 read, written, and inspected.
58 is a CTAP 2.1 extension.
61 are stored as elements of a CBOR array.
62 Confidentiality is ensured by encrypting each element with a
63 distinct, credential-bound 256-bit AES-GCM key.
64 The array is otherwise shared between different credentials and
65 FIDO2 relying parties.
67 Retrieval of a credential's encryption key is possible during
69 .Xr fido_cred_set_extensions 3
71 .Xr fido_cred_largeblob_key_ptr 3 ,
73 .Xr fido_assert_set_extensions 3
75 .Xr fido_assert_largeblob_key_ptr 3 ,
76 or, in the case of a resident credential, via
78 credential management API.
82 CBOR array is opaque to the authenticator.
83 Management of the array is left at the discretion of FIDO2 clients.
84 For further details on CTAP 2.1's
86 extension, please refer to the CTAP 2.1 spec.
89 .Fn fido_dev_largeblob_get
90 function retrieves the authenticator's
92 CBOR array and, on success, returns the first blob
93 .Pq iterating from array index zero
94 that can be decrypted by
102 .Fn fido_dev_largeblob_get
105 to the body of the decrypted blob, and
107 to the length of the decrypted blob in bytes.
108 It is the caller's responsibility to free
112 .Fn fido_dev_largeblob_set
117 and inserts the result in the authenticator's
120 Insertion happens at the end of the array if no existing element
123 or at the position of the first element
124 .Pq iterating from array index zero
125 that can be decrypted by
137 or equivalent user-verification gesture is required.
140 .Fn fido_dev_largeblob_remove
141 function retrieves the authenticator's
143 CBOR array and, on success, drops the first blob
144 .Pq iterating from array index zero
145 that can be decrypted by
154 or equivalent user-verification gesture is required.
157 .Fn fido_dev_largeblob_get_array
158 function retrieves the authenticator's
160 CBOR array and, on success,
163 to the body of the CBOR array, and
165 to its corresponding length in bytes.
166 It is the caller's responsibility to free
170 .Fn fido_dev_largeblob_set_array
171 function sets the authenticator's
173 CBOR array to the data pointed to by
182 or equivalent user-verification gesture is required.
185 .Fn fido_dev_largeblob_set ,
186 .Fn fido_dev_largeblob_get ,
187 .Fn fido_dev_largeblob_remove ,
188 .Fn fido_dev_largeblob_get_array ,
190 .Fn fido_dev_largeblob_set_array
194 On error, an error code defined in
198 .Xr fido_assert_largeblob_key_len 3 ,
199 .Xr fido_assert_largeblob_key_ptr 3 ,
200 .Xr fido_assert_set_extensions 3 ,
201 .Xr fido_cred_largeblob_key_len 3 ,
202 .Xr fido_cred_largeblob_key_ptr 3 ,
203 .Xr fido_cred_set_extensions 3 ,
204 .Xr fido_credman_get_dev_rk 3 ,
205 .Xr fido_credman_get_dev_rp 3 ,
206 .Xr fido_dev_get_assert 3 ,
207 .Xr fido_dev_make_cred 3
211 extension is not meant to be used to store sensitive data.
212 When retrieved, a credential's
214 encryption key is transmitted in the clear, and an authenticator's
216 CBOR array can be read without user interaction or verification.