Class ClientPinCommand
The ClientPinCommand allows a client or platform to use a PIN/UV auth protocol to perform a number of actions such as authenticating the PIN, setting and changing the PIN, and getting the number of PIN retries left.
public class ClientPinCommand : IYubiKeyCommand<IYubiKeyResponse>
- Inheritance
-
objectClientPinCommand
- Implements
Remarks
The `authenticatorClientPin (0x06)` FIDO2 command can be thought of more as a "meta" command. That is, it provides the structure and mechanism for performing a number of subcommands. These subcommands are:
- GetPinRetries (0x01)
- GetKeyAgreement (0x02)
- SetPIN (0x03)
- ChangePIN (0x04)
- GetPinToken (0x05)
- GetPinUvAuthTokenUsingUvWithPermissions (0x06)
- GetUVRetries (0x07)
- GetPinUvAuthTokenUsingPinWithPermissions (0x09)
Since the SDK does not have the concept of a subcommand natively, these are all exposed as their own separate commands.
This command should seldom be used directly. It is exposed for completeness. The subcommands exposed in this namespace use it as their implementation and expose a pared down version of the parameters.
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2. For more information on a particular subcommand, see the API reference documentation for that command class (linked above).
Properties
Application
Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies.
public YubiKeyApplication Application { get; }
Property Value
- YubiKeyApplication
YubiKeyApplication.Otp, YubiKeyApplication.Piv, etc.
KeyAgreement
The platform key-agreement key.
public CoseKey? KeyAgreement { get; set; }
Property Value
Remarks
This is a public key, derived using the current PIN/UV protocol in use. See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
NewPinEnc
An encrypted PIN.
public ReadOnlyMemory<byte>? NewPinEnc { get; set; }
Property Value
- ReadOnlyMemory<byte>?
Remarks
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
Permissions
A set of permission flags. If present, it must not be zero.
public PinUvAuthTokenPermissions? Permissions { get; set; }
Property Value
Remarks
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
PinHashEnc
An encrypted proof-of-knowledge of a PIN.
public ReadOnlyMemory<byte>? PinHashEnc { get; set; }
Property Value
- ReadOnlyMemory<byte>?
Remarks
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
PinUvAuthParam
The output of calling authenticate on the PIN/UV protocol specific to a particular subcommand.
public ReadOnlyMemory<byte>? PinUvAuthParam { get; set; }
Property Value
- ReadOnlyMemory<byte>?
Remarks
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
PinUvAuthProtocol
An optional PIN/UV protocol version chosen by the platform.
public PinUvAuthProtocol? PinUvAuthProtocol { get; set; }
Property Value
Remarks
A PIN/UV protocol must be used when working with a PIN. The specified protocol must be one of the protocols that are supported by the YubiKey. This can be determined by issuing the AuthenticatorGetInfo command.
This parameter is optional for the GetPinRetries and GetUvRetries subcommands, and is mandatory for all others.
RpId
The Relying Party ID (RP ID) to assign as the permissions RP ID.
public string? RpId { get; set; }
Property Value
- string
Remarks
See the user manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.
SubCommand
The Client PIN subcommand to issue to the YubiKey.
public int SubCommand { get; set; }
Property Value
- int
Remarks
This is a mandatory parameter, and must be one of the following values:
- GetPinRetries (0x01)
- GetKeyAgreement (0x02)
- SetPIN (0x03)
- ChangePIN (0x04)
- GetPinToken (0x05)
- GetPinUvAuthTokenUsingUvWithPermissions (0x06)
- GetUVRetries (0x07)
- GetPinUvAuthTokenUsingPinWithPermissions (0x09)
Alternatively - you can use one of the command classes exposed by the SDK that represents the subcommand itself. This method is recommended as these command classes will only expose the parameters that are relevant to that subcommand.
Methods
CreateCommandApdu()
Creates a well-formed CommandApdu to send to the YubiKey.
public CommandApdu CreateCommandApdu()
Returns
- CommandApdu
A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.
Remarks
This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.
CreateResponseForApdu(ResponseApdu)
Creates the corresponding IYubiKeyResponse implementation for the current command.
public IYubiKeyResponse CreateResponseForApdu(ResponseApdu responseApdu)
Parameters
responseApdu
ResponseApduThe ResponseApdu returned by the YubiKey.
Returns
- IYubiKeyResponse
The implementation of IYubiKeyResponse that parses and presents ths response APDU.