| FIDO_LARGEBLOB_GET(3) | Library Functions Manual | FIDO_LARGEBLOB_GET(3) | 
fido_dev_largeblob_get,
  fido_dev_largeblob_set,
  fido_dev_largeblob_remove,
  fido_dev_largeblob_get_array,
  fido_dev_largeblob_set_array —
#include <fido.h>
int
  
  fido_dev_largeblob_get(fido_dev_t
    *dev, const unsigned char
    *key_ptr, size_t
    key_len, unsigned char
    **blob_ptr, size_t
    *blob_len);
int
  
  fido_dev_largeblob_set(fido_dev_t
    *dev, const unsigned char
    *key_ptr, size_t
    key_len, const unsigned
    char *blob_ptr, size_t
    blob_len, const char
    *pin);
int
  
  fido_dev_largeblob_remove(fido_dev_t
    *dev, const unsigned char
    *key_ptr, size_t
    key_len, const char
    *pin);
int
  
  fido_dev_largeblob_get_array(fido_dev_t
    *dev, unsigned char
    **cbor_ptr, size_t
    *cbor_len);
int
  
  fido_dev_largeblob_set_array(fido_dev_t
    *dev, const unsigned char
    *cbor_ptr, size_t
    cbor_len, const char
    *pin);
“largeBlobs” are stored as elements of a CBOR array. Confidentiality is ensured by encrypting each element with a distinct, credential-bound 256-bit AES-GCM key. The array is otherwise shared between different credentials and FIDO2 relying parties.
Retrieval of a credential's encryption key is possible during enrollment with fido_cred_set_extensions(3) and fido_cred_largeblob_key_ptr(3), during assertion with fido_assert_set_extensions(3) and fido_assert_largeblob_key_ptr(3), or, in the case of a resident credential, via libfido2's credential management API.
The “largeBlobs” CBOR array is opaque to the authenticator. Management of the array is left at the discretion of FIDO2 clients. For further details on CTAP 2.1's “largeBlobs” extension, please refer to the CTAP 2.1 spec.
The fido_dev_largeblob_get() function
    retrieves the authenticator's “largeBlobs” CBOR array and, on
    success, returns the first blob (iterating from array index zero) that can
    be decrypted by key_ptr, where
    key_ptr points to key_len bytes.
    On success, fido_dev_largeblob_get() sets
    blob_ptr to the body of the decrypted blob, and
    blob_len to the length of the decrypted blob in bytes.
    It is the caller's responsibility to free
  blob_ptr.
The fido_dev_largeblob_set() function uses
    key_ptr to encrypt blob_ptr and
    inserts the result in the authenticator's “largeBlobs” CBOR
    array. Insertion happens at the end of the array if no existing element can
    be decrypted by key_ptr, or at the position of the
    first element (iterating from array index zero) that can be decrypted by
    key_ptr. key_len holds the
    length of key_ptr in bytes, and
    blob_len the length of blob_ptr
    in bytes. A pin or equivalent user-verification
    gesture is required.
The fido_dev_largeblob_remove() function
    retrieves the authenticator's “largeBlobs” CBOR array and, on
    success, drops the first blob (iterating from array index zero) that can be
    decrypted by key_ptr, where
    key_ptr points to key_len bytes.
    A pin or equivalent user-verification gesture is
    required.
The fido_dev_largeblob_get_array()
    function retrieves the authenticator's “largeBlobs” CBOR array
    and, on success, sets cbor_ptr to the body of the CBOR
    array, and cbor_len to its corresponding length in
    bytes. It is the caller's responsibility to free
    cbor_ptr.
Finally, the
    fido_dev_largeblob_set_array() function sets the
    authenticator's “largeBlobs” CBOR array to the data pointed to
    by cbor_ptr, where cbor_ptr
    points to cbor_len bytes. A pin
    or equivalent user-verification gesture is required.
fido_dev_largeblob_set(),
  fido_dev_largeblob_get(),
  fido_dev_largeblob_remove(),
  fido_dev_largeblob_get_array(), and
  fido_dev_largeblob_set_array() return
  FIDO_OK on success. On error, an error code defined in
  <fido/err.h> is returned.
| $Mdocdate: October 26 2020 $ | NetBSD 10.0 |