| FIDO2-ASSERT(1) | General Commands Manual | FIDO2-ASSERT(1) | 
fido2-assert —
| fido2-assert | -G[-bdhpruv]
      [-toption]
      [-iinput_file]
      [-ooutput_file]
      device | 
| fido2-assert | -V[-dhpv]
      [-iinput_file]
      key_file [type] | 
fido2-assert gets or verifies a FIDO2 assertion.
The input of fido2-assert is defined by
    the parameters of the assertion to be obtained/verified. See the
    INPUT FORMAT section for details.
The output of fido2-assert is defined by
    the result of the selected operation. See the
    OUTPUT FORMAT section for
  details.
If an assertion is successfully obtained or verified,
    fido2-assert exits 0. Otherwise,
    fido2-assert exits 1.
The options are as follows:
-Gfido2-assert to obtain a new assertion from
      device.-Vfido2-assert to verify an assertion using
      the PEM-encoded public key in key_file of type
      type, where type may be
      es256 (denoting ECDSA over NIST P-256 with SHA-256),
      rs256 (denoting 2048-bit RSA with PKCS#1.5 padding and
      SHA-256), or eddsa (denoting EDDSA over Curve25519 with
      SHA-512). If type is not specified,
      es256 is assumed.-b-h-dfido2-assert to emit debugging output on
      stderr.-i
    input_filefido2-assert to read the parameters of the
      assertion from input_file instead of
      stdin.-o
    output_filefido2-assert to write output on
      output_file instead of
    stdout.-p-r-r is specified,
      fido2-assert will not expect a credential id in
      its input, and may output multiple assertions. Resident credentials are
      called “discoverable credentials” in CTAP 2.1.-t
    optionup=true|falseuv=true|falsepin=true|falsefido2-assert whether to prompt for a PIN
          and request user verification.The -t option may be specified
        multiple times.
-ufido2-assert will use FIDO2 if supported by the
      authenticator, and fallback to U2F otherwise.-vIf a tty is available,
    fido2-assert will use it to obtain the PIN.
    Otherwise, stdin is used.
fido2-assert consists of base64 blobs and
  UTF-8 strings separated by newline characters ('\n').
When obtaining an assertion, fido2-assert
    expects its input to consist of:
When verifying an assertion, fido2-assert
    expects its input to consist of:
UTF-8 strings passed to fido2-assert must
    not contain embedded newline or NUL characters.
fido2-assert consists of base64 blobs and
  UTF-8 strings separated by newline characters ('\n').
For each generated assertion, fido2-assert
    outputs:
When verifying an assertion, fido2-assert
    produces no output.
$ echo assertion challenge | openssl
  sha256 -binary | base64 > assert_param$ echo relying party >>
  assert_param$ head -1 cred >>
  assert_param$ tail -n +2 cred >
  pubkey$ fido2-assert -G -i assert_param
  /dev/hidraw5 | fido2-assert -V pubkey es256| $Mdocdate: November 5 2019 $ | NetBSD 10.0 |