Table of Contents

Class ClientPinCommand

Namespace
Yubico.YubiKey.Fido2.Commands
Assembly
Yubico.YubiKey.dll

The ClientPinCommand allows a client or platform to use a PIN/UV auth protocol to perform a number of actions such as authenticating the PIN, setting and changing the PIN, and getting the number of PIN retries left.

public class ClientPinCommand : IYubiKeyCommand<IYubiKeyResponse>
Inheritance
object
ClientPinCommand
Implements

Remarks

The `authenticatorClientPin (0x06)` FIDO2 command can be thought of more as a "meta" command. That is, it provides the structure and mechanism for performing a number of subcommands. These subcommands are:

  • GetPinRetries (0x01)
  • GetKeyAgreement (0x02)
  • SetPIN (0x03)
  • ChangePIN (0x04)
  • GetPinToken (0x05)
  • GetPinUvAuthTokenUsingUvWithPermissions (0x06)
  • GetUVRetries (0x07)
  • GetPinUvAuthTokenUsingPinWithPermissions (0x09)

Since the SDK does not have the concept of a subcommand natively, these are all exposed as their own separate commands.

This command should seldom be used directly. It is exposed for completeness. The subcommands exposed in this namespace use it as their implementation and expose a pared down version of the parameters.

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2. For more information on a particular subcommand, see the API reference documentation for that command class (linked above).

Properties

Application

Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Otp, YubiKeyApplication.Piv, etc.

KeyAgreement

The platform key-agreement key.

public CoseKey? KeyAgreement { get; set; }

Property Value

CoseKey

Remarks

This is a public key, derived using the current PIN/UV protocol in use. See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

NewPinEnc

An encrypted PIN.

public ReadOnlyMemory<byte>? NewPinEnc { get; set; }

Property Value

ReadOnlyMemory<byte>?

Remarks

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

Permissions

A set of permission flags. If present, it must not be zero.

public PinUvAuthTokenPermissions? Permissions { get; set; }

Property Value

PinUvAuthTokenPermissions?

Remarks

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

PinHashEnc

An encrypted proof-of-knowledge of a PIN.

public ReadOnlyMemory<byte>? PinHashEnc { get; set; }

Property Value

ReadOnlyMemory<byte>?

Remarks

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

PinUvAuthParam

The output of calling authenticate on the PIN/UV protocol specific to a particular subcommand.

public ReadOnlyMemory<byte>? PinUvAuthParam { get; set; }

Property Value

ReadOnlyMemory<byte>?

Remarks

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

PinUvAuthProtocol

An optional PIN/UV protocol version chosen by the platform.

public PinUvAuthProtocol? PinUvAuthProtocol { get; set; }

Property Value

PinUvAuthProtocol?

Remarks

A PIN/UV protocol must be used when working with a PIN. The specified protocol must be one of the protocols that are supported by the YubiKey. This can be determined by issuing the AuthenticatorGetInfo command.

This parameter is optional for the GetPinRetries and GetUvRetries subcommands, and is mandatory for all others.

RpId

The Relying Party ID (RP ID) to assign as the permissions RP ID.

public string? RpId { get; set; }

Property Value

string

Remarks

See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

SubCommand

The Client PIN subcommand to issue to the YubiKey.

public int SubCommand { get; set; }

Property Value

int

Remarks

This is a mandatory parameter, and must be one of the following values:

  • GetPinRetries (0x01)
  • GetKeyAgreement (0x02)
  • SetPIN (0x03)
  • ChangePIN (0x04)
  • GetPinToken (0x05)
  • GetPinUvAuthTokenUsingUvWithPermissions (0x06)
  • GetUVRetries (0x07)
  • GetPinUvAuthTokenUsingPinWithPermissions (0x09)

Alternatively - you can use one of the command classes exposed by the SDK that represents the subcommand itself. This method is recommended as these command classes will only expose the parameters that are relevant to that subcommand.

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public IYubiKeyResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

IYubiKeyResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.