/ 
Crypt-MultiKey-0.000_001
/ Crypt::MultiKey::FIDO2::Device

NAME

Crypt::MultiKey::FIDO2::Device - Represent a connected fido_dev_t struct of libfido2

DESCRIPTION

This class represents a connection to a FIDO2 device (the fido_dev_t struct of libfido2)

This is an incomplete abstraction of the libfido2 API, providing just enough for the Crype::MultiKey::PKey::FIDO2 implementation.

CONSTRUCTORS

new

$dev= Crype::MultiKey::FIDO2::Device->new($dev_path);

ATTRIBUTES

path

The current host device path name for the authenticator, such as '/dev/hidraw1'.

fido_err

The last error code received from the libfido2 API.

aaguid

A hardware identifier for the model/version of the authenticator, as raw 16 bytes.

aaguid_hex

A hardware identifier for the model/version of the authenticator, formatted in standard GUID hex notation.

algorithms

An arrayref describing public-key algorithms supported by the authenticator. Each element is a hashref containing fields like type and cose.

certifications

A hashref of certification identifiers reported by the authenticator.

extensions

An arrayref of extension names supported by the authenticator.

fwversion

The firmware version reported by the authenticator.

maxcredbloblen

Maximum supported size of a credential blob.

maxcredcntlst

Maximum number of credential IDs accepted in an allow-list.

maxcredidlen

Maximum supported credential ID length.

maxlargeblob

Maximum supported size of the large-blob storage area.

maxmsgsiz

Maximum CTAP message size supported by the authenticator.

maxrpid_minpinlen

Maximum number of RP IDs tracked for minimum PIN length policy.

minpinlen

Minimum PIN length currently enforced by the authenticator.

new_pin_required

True if the authenticator requires a new PIN to be set.

options

A hashref of authenticator option flags.

protocols

An arrayref of supported PIN/UV protocol version numbers.

rk_remaining

The remaining number of discoverable credentials the authenticator reports it can store, or a negative value if not reported.

transports

An arrayref of supported transport names.

uv_attempts

Number of remaining built-in user-verification attempts, if reported.

uv_modality

A bitmask describing built-in user-verification methods supported by the authenticator.

versions

An arrayref of supported CTAP/U2F protocol version strings.

is_fido2

True if authenticator supports FIDO2

supports_pin

True if the authenticator supports a PIN.

has_pin

True if the authenticator has a PIN set.

supports_uv

True if the authenticator supports user verification (UV), such as PIN or biometric authentication, in addition to simple user presence checks like a button press.

has_uv

True if the authenticator currently has a usable user verification (UV) method configured, such as a PIN or biometric. This does not mean UV will be required, only that it is available if requested.

METHODS

open

$bool= $device->open($dev_path);

Open a new device path. On success, any device already open in the current object is closed. On failure, the error is stored in "fido_err".

get_touch_begin

$device->get_touch_begin // croak $device->fido_err;

Begin a "get touch" process. This tells the device that we want to poll for a touch event. It signals to the user that a touch is requested, and reports whether this occurs via "get_touch_status".

get_touch_status

$touched= $device->get_touch_status;
$touched= $device->get_touch_status($wait_seconds);

Check whether this device has received a touch since "get_touch_begin" was called. If it returns true, the touch occurred and the "get touch" process is complete. If it returns false, no touch occurred and the "get touch" is ongoing. If it returns undef, there was an error and the "get touch" is most likely terminated.

cancel

$device->cancel;

Cancel an ongoing operation on the device, such as a "get touch" process.

make_hmac_secret_credential

my $cred= $device->make_hmac_secret_credential(%options);
# %options:
#  discoverable      => $bool,  # whether credential can be seen on device
#  rp_domain         => $str,   # default "crypt-multikey.local"
#  rp_name           => $str,   # default "Crypt::MultiKey"
#  user_name         => $str,   # who or what will be using the credential
#  user_display_name => $str,
#  user_icon         => $data,
#  pin               => $pin_password,

Creates a new credential on the authenticator, for purposes of using the hmac-secret extension. FIDO devices have a limited space for storing credentials, so use this method sparingly. The return value is a hashref of attributes about the credential. Devices may or may not require the pin.

assert_hmac_secret

($resp, $cred)= $device->assert_hmac_secret(%options);
# %options:
#  credential => $cred_or_arrayref,  # one or more credentials to test
#  challenge  => $message,           # sha256($message) will become HMAC salt
#  rp_domain  => $domain_name,       # must match value used during make_credential
#  pin        => $pin_password,      # only for authenticators that require it

Assert that the device possesses one of the credentials (each a hashref as returned by "make_hmac_secret_credential"), and compute hmac-secret on 'challenge' using that credential. The response (HMAC bytes) and which credential was used (same hashref as provided) are returned as a list. This method croaks on errors unless the only error was that none of the credentials exist on the device, in which case it returns an empty list.

This can test a device for multiple credentials in one call, so long as the rp_domain and challenge is the same for each of them. Devices may or may not require the pin.

VERSION

version 0.000_001

AUTHOR

Michael Conrad <mike@nrdvana.net>

COPYRIGHT AND LICENSE

This software is copyright (c) 2026 by Michael Conrad.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.