go-fdo-client is a client implementation of FIDO Device Onboard specification in Go using FDO GO protocols.
- Go 1.23.0 or later
- A Go module initialized with
go mod init
The update-deps.sh script updates all dependencies in your Go module to their latest versions and cleans up the go.mod and go.sum files.
To update your dependencies, simply run the script:
./update-deps.shThe client application can be built with make build or go build directly,
$ make build or go build -o fdo_client ./cmd/fdo_client
$ ./fdo_client
Usage:
fdo_client [--] [options]
Client options:
-blob string
File path of device credential blob (default "cred.bin")
-cipher suite
Name of cipher suite to use for encryption (see usage) (default "A128GCM")
-debug
Print HTTP contents
-di URL
HTTP base URL for DI server
-di-key string
Key for device credential [options: ec256, ec384, rsa2048, rsa3072] (default "ec384")
-di-key-enc string
Public key encoding to use for manufacturer key [x509,x5chain,cose] (default "x509")
-download dir
A dir to download files into (FSIM disabled if empty)
-echo-commands
Echo all commands received to stdout (FSIM disabled if false)
-insecure-tls
Skip TLS certificate verification
-kex suite
Name of cipher suite to use for key exchange (see usage) (default "ECDH384")
-print
Print device credential blob and stop
-rv-only
Perform TO1 then stop
-resale
Perform resale
-tpm path
Use a TPM at path for device credential secrets
-upload files
List of dirs and files to upload files from, comma-separated and/or flag provided multiple times (FSIM disabled if empty)
-wget-dir dir
A dir to wget files into (FSIM disabled if empty)
Key types:
- RSA2048RESTR
- RSAPKCS
- RSAPSS
- SECP256R1
- SECP384R1
Encryption suites:
- A128GCM
- A192GCM
- A256GCM
- AES-CCM-64-128-128 (not implemented)
- AES-CCM-64-128-256 (not implemented)
- COSEAES128CBC
- COSEAES128CTR
- COSEAES256CBC
- COSEAES256CTR
Key exchange suites:
- DHKEXid14
- DHKEXid15
- ASYMKEX2048
- ASYMKEX3072
- ECDH256
- ECDH384Remove the credential file if it exists:
rm cred.bin
Run the FDO client, specifying the DI URL:
./fdo_client -di http://127.0.0.1:8080 -debug
Print the FDO client configuration or status:
./fdo_client -print
TO0 will be completed in the respective Owner and RV.
Run the FDO client in RV-only mode:
./fdo_client -rv-only -debug
Run the FDO client for E2E testing:
./fdo_client -debug
Ensure tpm2_tools is installed on your system.
Clear TPM NV Index
Use the following command to clear the TPM NV index:
sudo tpm2_nvundefine 0x01D10001Run the FDO client, specifying the DI URL with the TPM resource manager path specified. The suppoerted key type and key exchange must always be explicit through the -di-key and -kex flag.:
./fdo_client -di http://127.0.0.1:8080 -di-key ec256 -kex ECDH256 -tpm /dev/tpmrm0 -debug
NOTE: fdo_client may require elevated privileges. Please use 'sudo' to execute.
Print the FDO client configuration or status:
./fdo_client -tpm /dev/tpmrm0 -print
TO0 will be completed in the respective Owner and RV.
Run the FDO client in RV-only mode:
./fdo_client -rv-only -di-key ec256 -kex ECDH256 -tpm /dev/tpmrm0 -debug
Run the FDO client for E2E testing:
./fdo_client -di-key ec256 -kex ECDH256 -tpm /dev/tpmrm0 -debug