| FIDO2-CRED(1) | General Commands Manual | FIDO2-CRED(1) | 
fido2-cred —
| fido2-cred | -M[-bdhqruv]
      [-ccred_protect]
      [-iinput_file]
      [-ooutput_file]
      device [type] | 
| fido2-cred | -V[-dhv]
      [-ccred_protect]
      [-iinput_file]
      [-ooutput_file]
      [type] | 
fido2-cred makes or verifies a FIDO2 credential.
A credential type may be es256 (denoting ECDSA over NIST P-256 with SHA-256), rs256 (denoting 2048-bit RSA with PKCS#1.5 padding and SHA-256), or eddsa (denoting EDDSA over Curve25519 with SHA-512). If type is not specified, es256 is assumed.
When making a credential, the authenticator may require the user
    to authenticate with a PIN. If the -q option is not
    specified, fido2-cred will prompt the user for the
    PIN. If a tty is available,
    fido2-cred will use it to obtain the PIN. Otherwise,
    stdin is used.
The input of fido2-cred is defined by the
    parameters of the credential to be made/verified. See the
    INPUT FORMAT section for details.
The output of fido2-cred is defined by the
    result of the selected operation. See the
    OUTPUT FORMAT section for
  details.
If a credential is successfully created or verified,
    fido2-cred exits 0. Otherwise,
    fido2-cred exits 1.
The options are as follows:
-Mfido2-cred to make a new credential on
      device.-Vfido2-cred to verify a credential.-b-c
    cred_protect<fido/param.h> for the set
      of possible values. If verifying a credential, check whether the
      credential's protection level was signed by the authenticator as
      cred_protect.-dfido2-cred to emit debugging output on
      stderr.-h-i
    input_filefido2-cred to read the parameters of the
      credential from input_file instead of
      stdin.-o
    output_filefido2-cred to write output on
      output_file instead of
    stdout.-qfido2-cred to be quiet. If a PIN is required
      and -q is specified,
      fido2-cred will fail.-r-ufido2-cred
      will use FIDO2 if supported by the authenticator, and fallback to U2F
      otherwise.-vfido2-cred consists of base64 blobs and
  UTF-8 strings separated by newline characters ('\n').
When making a credential, fido2-cred
    expects its input to consist of:
When verifying a credential, fido2-cred
    expects its input to consist of:
UTF-8 strings passed to fido2-cred must
    not contain embedded newline or NUL characters.
fido2-cred consists of base64 blobs, UTF-8
  strings, and PEM-encoded public keys separated by newline characters ('\n').
Upon the successful generation of a credential,
    fido2-cred outputs:
Upon the successful verification of a credential,
    fido2-cred outputs:
$ echo credential challenge | openssl
  sha256 -binary | base64 > cred_param$ echo relying party >>
  cred_param$ echo user name >>
  cred_param$ dd if=/dev/urandom bs=1 count=32 |
  base64 >> cred_param$ fido2-cred -M -i cred_param
  /dev/hidraw5 | fido2-cred -V -o credfido2-cred handles Basic Attestation
  and Self Attestation transparently. In the case of Basic Attestation, the
  validity of the authenticator's attestation certificate is
  not verified.
| $Mdocdate: November 5 2019 $ | NetBSD 10.1 |