examples: add cred -a toggle

To request enterprise attestation.
Yubico · Oct 2, 2024 · e9f2466 · e9f2466
1 parent 00b9b0a
commit e9f2466
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/examples/README.adoc b/examples/README.adoc
@@ -64,7 +64,8 @@ The following examples are provided:
 	The -T option may be used to enforce a timeout of <seconds>. If the
 	option -b is specified, the credential's "largeBlob" key is stored in
 	<blobkey>. If the option -c is specified the the generated credential
-	will be bound by the specified protection policy.
+	will be bound by the specified protection policy. If the option -a is
+	specified, enterprise attestation will be requested.
 
 - assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin]
          [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device>

diff --git a/examples/cred.c b/examples/cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2023 Yubico AB. All rights reserved.
+ * Copyright (c) 2018-2024 Yubico AB. All rights reserved.
  * Use of this source code is governed by a BSD-style
  * license that can be found in the LICENSE file.
  * SPDX-License-Identifier: BSD-2-Clause
@@ -36,7 +36,8 @@ static void
 usage(void)
 {
 	fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] "
-	    "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] "
+	    "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] "
+	    "[-a mode] [-hruv] "
 	    "<device>\n");
 	exit(EXIT_FAILURE);
 }
@@ -166,11 +167,12 @@ main(int argc, char **argv)
 	int		 ch;
 	int		 r;
 	long long cred_protect = 0;
+	long long	 ea = 0;
 
 	if ((cred = fido_cred_new()) == NULL)
 		errx(1, "fido_cred_new");
 
-	while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) {
+	while ((ch = getopt(argc, argv, "P:T:a:b:e:hi:k:rt:uvc:")) != -1) {
 		switch (ch) {
 		case 'P':
 			pin = optarg;
@@ -182,6 +184,12 @@ main(int argc, char **argv)
 				errx(1, "-T: %s must be in (0,30]", optarg);
 			ms *= 1000; /* seconds to milliseconds */
 			break;
+		case 'a':
+			if (base10(optarg, &ea) < 0)
+				errx(1, "base10: %s", optarg);
+			if (ea <= 0 || ea > 2)
+				errx(1, "-a: %s must be in (0,2]", optarg);
+			break;
 		case 'b':
 			ext |= FIDO_EXT_LARGEBLOB_KEY;
 			blobkey_out = optarg;
@@ -293,6 +301,9 @@ main(int argc, char **argv)
 	if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
 	    (int)cred_protect)) != FIDO_OK)
 		errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+
+	if (ea != 0 && (r = fido_cred_set_entattest(cred, (int)ea)) != FIDO_OK)
+		errx(1, "fido_cred_set_entattest: %s (0x%x)", fido_strerr(r), r);
 
 	/* timeout */
 	if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)