search

CLI Testing Tool

The Arculus FIDO2 CLI (Command Line Interface) is a desktop testing tool for validating Arculus FIDO2 card functionality and testing integration with FIDO2 servers. It provides a command-line interface to perform all FIDO2 operations including registration, authentication, PIN management, and credential management.

Note: This tool is intended for testing and development purposes only. It requires a desktop NFC card reader that supports the PC/SC interface. Arculus has tested with with the following NFC card readers:

  • HID OmniKey 5422 HID

  • LIBO NFC Smart ACR122U RFI

hashtag
Overview

The CLI tool allows you to:

  • Test FIDO2 registration and authentication flows

  • Manage PINs (set, change, check retries)

  • List and manage credentials on the card

  • Test against local or remote FIDO2 servers

  • Validate card functionality before integrating the SDK into your application

  • Debug FIDO2 operations with detailed logging

hashtag
Prerequisites

hashtag
Hardware Requirements

  • Desktop NFC Card Reader: A PC/SC-compatible NFC reader (e.g., HID Global OMNIKEY 5422)

  • Arculus FIDO2 Card: An Arculus FIDO2 hardware security key

hashtag
Software Requirements

  • PC/SC Support:

    • Windows: Built-in (no additional installation needed)

    • macOS: Built-in (no additional installation needed)

    • Linux: Install pcsclite from your package manager or from sourcearrow-up-right

hashtag
Obtaining the CLI Tool

Contact your Arculus representative to obtain the CLI tool distribution package. The package includes:

  • ArculusFidoCli.jar - Main CLI executable

  • Convenience scripts (.sh for Linux/macOS, .bat for Windows)

  • Required dependencies

hashtag
Installation

hashtag
Extract the Distribution Package

hashtag
Verify PC/SC Reader Detection

Before using the CLI, verify that your card reader is detected:

Expected output:

Note: On Windows, the CLI must be run as Administrator, as FIDO2 CTAP card interactions are blocked for normal user accounts for security reasons.

hashtag
Basic Usage

The CLI tool uses the arculusFido.sh (or arculusFido.bat on Windows) script with a --command parameter to specify the operation.

hashtag
Common Parameters

Most commands support these common parameters:

Parameter
Description
Default

--command=<command>

Command to execute (required)

None

--pin=<PIN>

6+ digit numeric PIN

123456

--address=<address>

FIDO2 server address

127.0.0.1

--port=<port>

FIDO2 server port

5001

--relyingParty=<rpId>

Relying party ID

localhost

--username=<username>

User identifier

[email protected]

--displayName=<name>

Display name

Test User

--preferredReader=<name>

PC/SC reader name

Auto-detect

--ignoreSSLCertValidation=<true|false>

Ignore SSL cert validation (testing only)

false

--sdk

Output raw SDK results only

false

Server Address Format: The --address parameter can be:

  • IP address: 127.0.0.1

  • Hostname: localhost

  • URL with protocol: https://myserver.com (port defaults to 443)

  • URL without protocol: myserver.com (uses specified port)

hashtag
Commands

hashtag
Device Information

hashtag
Get Version

Get the version information from the Arculus FIDO2 card:

Or use the convenience script:

hashtag
Get Device Info

Get detailed device information:

Or use the convenience script:

hashtag
PIN Management

hashtag
Set PIN

Set a PIN on the card. Note: Setting a PIN also resets the device to a clean state.

Or use the convenience script:

PIN Requirements: PIN must be numeric and between 4 and 12 digits.

hashtag
Change PIN

Change an existing PIN. Note: This does NOT reset the device.

Or use the convenience script:

hashtag
Check PIN Retries

Get the number of PIN retries remaining:

Or use the convenience script:

hashtag
Device Management

hashtag
Reset Device

Reset the Arculus FIDO2 device to a clean state (removes all credentials):

Or use the convenience script:

hashtag
Registration

Register a user and create a FIDO2 credential on both the card and the FIDO2 server:

Parameters:

  • --pin: Card PIN (required)

  • --username: User identifier (required)

  • --displayName: Human-readable name (required)

  • --address: FIDO2 server address

  • --port: FIDO2 server port

  • --relyingParty: Relying party ID (domain)

  • --registrationInfo: Optional JSON object with device metadata

  • --resetOnRegister: Reset device before registering (optional)

Example with HTTPS:

Or use the convenience script:

hashtag
Authentication

Authenticate a user with an existing FIDO2 credential:

Parameters:

  • --pin: Card PIN (required, unless --nopin is used)

  • --username: User identifier (required)

  • --displayName: Human-readable name (required)

  • --address: FIDO2 server address

  • --port: FIDO2 server port

  • --relyingParty: Relying party ID (domain)

  • --nopin: Authenticate without PIN (if card allows)

Example with HTTPS:

Or use the convenience script:

hashtag
Credential Management

hashtag
List Credentials for Relying Party

List all credentials on the card for a specific relying party:

Or use the convenience script:

hashtag
List All Credentials

List all credentials on the card across all relying parties:

Or use the convenience script:

hashtag
List All Relying Parties

List all relying party domains that have credentials on the card:

Or use the convenience script:

hashtag
Delete Credential

Delete a specific credential from the card:

Or use the convenience script:

hashtag
Advanced Options

hashtag
Server Configuration

For testing with non-Arculus FIDO2 servers (e.g., StrongKey, ImproveId), use the --server-config parameter:

hashtag
Custom API Paths

For servers with custom API paths, configure them in the server config:

hashtag
SDK Mode Output

Use --sdk to get raw SDK output (useful for scripting):

This suppresses all logging and outputs only the raw SDK response JSON.

hashtag
Logging

Control log verbosity with --logLevel:

Log levels:

  • 0 = Verbose

  • 1 = Debug

  • 2 = Info

  • 3 = Warning

  • 4 = Error

hashtag
Testing Workflows

hashtag
Complete Test Sequence

Run all commands in sequence (version, reset, set PIN, register, authenticate):

Or use the convenience script:

hashtag
Local Development Testing

Test against a local FIDO2 server:

Or use the convenience script for localhost:

hashtag
Response Format

The CLI tool returns JSON responses in the following format:

Success Response:

Error Response:

For detailed error code meanings, see 2.8 Error Codes.

hashtag
Use Cases

hashtag
Development Testing

Use the CLI tool during development to:

  • Verify card functionality before SDK integration

  • Test FIDO2 server connectivity

  • Validate registration and authentication flows

  • Debug credential management operations

hashtag
Integration Validation

Before deploying to production:

  • Test registration with your production server configuration

  • Verify authentication flows work correctly

  • Validate multi-tenant scenarios (if applicable)

  • Test error handling and edge cases

hashtag
Troubleshooting

Use the CLI tool to diagnose issues:

  • Verify card is detected and functional

  • Test PIN operations

  • Check credential storage on the card

  • Validate server connectivity and responses

hashtag
Limitations

  • Desktop Only: Requires PC/SC-compatible NFC reader (not available for mobile platforms)

  • Testing Tool: Intended for development and testing, not production use

  • Windows Admin: On Windows, must run as Administrator

  • Single Card: Tests one card at a time

PreviousSDK API ReferenceNextiOS SDK

Last updated