From ae9d48e23bf73b59843f5dff9d00500c1f04b1d2 Mon Sep 17 00:00:00 2001 From: Ludvig Michaelsson Date: Wed, 21 Aug 2024 13:42:14 +0200 Subject: [PATCH] examples: add cred -a toggle To request enterprise attestation. --- examples/README.adoc | 3 ++- examples/cred.c | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/examples/README.adoc b/examples/README.adoc index 6151b70b..1249366f 100644 --- a/examples/README.adoc +++ b/examples/README.adoc @@ -64,7 +64,8 @@ The following examples are provided: The -T option may be used to enforce a timeout of . If the option -b is specified, the credential's "largeBlob" key is stored in . If the option -c is specified the the generated credential - will be bound by the specified protection policy. + will be bound by the specified protection policy. If the option -a is + specified, enterprise attestation will be requested. - assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin] [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] diff --git a/examples/cred.c b/examples/cred.c index 4c9f4c51..b06b4568 100644 --- a/examples/cred.c +++ b/examples/cred.c @@ -36,7 +36,8 @@ static void usage(void) { fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] " - "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] " + "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] " + "[-a mode] [-hruv] " "\n"); exit(EXIT_FAILURE); } @@ -166,6 +167,7 @@ main(int argc, char **argv) int ch; int r; long long cred_protect = 0; + long long ea = 0; if ((cred = fido_cred_new()) == NULL) errx(1, "fido_cred_new"); @@ -182,6 +184,12 @@ main(int argc, char **argv) errx(1, "-T: %s must be in (0,30]", optarg); ms *= 1000; /* seconds to milliseconds */ break; + case 'a': + if (base10(optarg, &ea) < 0) + errx(1, "base10: %s", optarg); + if (ea <= 0 || ea > 2) + errx(1, "-a: %s must be in (0,2]", optarg); + break; case 'b': ext |= FIDO_EXT_LARGEBLOB_KEY; blobkey_out = optarg; @@ -293,6 +301,9 @@ main(int argc, char **argv) if (cred_protect != 0 && (r = fido_cred_set_prot(cred, (int)cred_protect)) != FIDO_OK) errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r); + + if (ea != 0 && (r = fido_cred_set_entattest(cred, (int)ea)) != FIDO_OK) + errx(1, "fido_cred_set_entattest: %s (0x%x)", fido_strerr(r), r); /* timeout */ if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)