Table of Contents

Class CredentialManagementCommand

Namespace
Yubico.YubiKey.Fido2.Commands
Assembly
Yubico.YubiKey.dll

The CredentialManagementCommand is the class for authenticatorCredentialManagement. This command has a number of subcommands, each of which is represented by its own class. You will likely never use this class directly, but it does contain code shared by all the subcommands.

public class CredentialManagementCommand : IYubiKeyCommand<CredentialManagementResponse>
Inheritance
object
CredentialManagementCommand
Implements

Remarks

The authenticatorCredentialManagement (0x0A) FIDO2 command can be thought of as a "meta" command. That is, it provides the structure and mechanism for performing a number of subcommands. These subcommands are:

- getCredsMetadata (0x01)
- enumerateRPsBegin (0x02)
- enumerateRPsGetNextRP (0x03)
- enumerateCredentialsBegin (0x04)
- enumerateCredentialsGetNextCredential (0x05)
- deleteCredential (0x06)
- updateUserInformation (0x07)

Since the SDK does not have the concept of a subcommand natively, these are all exposed as their own separate commands.

See the user manual entry on Credential Management for a much more in depth guide to working with credentials within FIDO2. For more information on a particular subcommand, see the API reference documentation for that command class.

Some of the subcommands return data (e.g. a credential), others return only a success or failure response code.

Constructors

CredentialManagementCommand()

This constructor will throw NotImplementedException. It is the default constructor explicitly defined. We don't want it to be used. It is made protected rather than private because there are subclasses.

protected CredentialManagementCommand()

CredentialManagementCommand(int)

Constructs a new instance of CredentialManagementCommand.

public CredentialManagementCommand(int subCommand)

Parameters

subCommand int

The byte representing the subcommand to execute.

CredentialManagementCommand(int, byte[]?, ReadOnlyMemory<byte>, PinUvAuthProtocolBase)

Constructs a new instance of CredentialManagementCommand.

public CredentialManagementCommand(int subCommand, byte[]? subCommandParams, ReadOnlyMemory<byte> pinUvAuthToken, PinUvAuthProtocolBase authProtocol)

Parameters

subCommand int

The byte representing the subcommand to execute.

subCommandParams byte[]

The parameters needed in order to execute the subcommand. Not all subcommands have parameters, so this can be null.

pinUvAuthToken ReadOnlyMemory<byte>

The PIN/UV Auth Token built from the PIN. This is the encrypted token key.

authProtocol PinUvAuthProtocolBase

The Auth Protocol used to build the Auth Token.

Remarks

Note that if the command does not need the pinUvAuthToken and authProtocol, use the constructor that takes only the subCommand.

Properties

Application

Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Otp, YubiKeyApplication.Piv, etc.

PinUvAuthParam

The output of calling authenticate on the PIN/UV protocol specific to a particular subcommand.

public ReadOnlyMemory<byte>? PinUvAuthParam { get; set; }

Property Value

ReadOnlyMemory<byte>?

Remarks

See the User's Manual entry on PIN protocols for a much more in depth guide to working with PINs within FIDO2.

See also the User's Manual entry on FIDO2 Credential Management for more information on building the PIN/UV Auth Param specific to the CredentialManagement commands.

PinUvAuthProtocol

The PIN/UV protocol version chosen by the platform.

public PinUvAuthProtocol? PinUvAuthProtocol { get; set; }

Property Value

PinUvAuthProtocol?

Remarks

A PIN/UV protocol must be used when performing some of the CredentialManagement operations. The specified protocol must be one of the protocols that are supported by the YubiKey. This can be determined by issuing the AuthenticatorGetInfo command.

SubCommand

The CredentialManagement subcommand to issue to the YubiKey.

public int SubCommand { get; set; }

Property Value

int

Remarks

This is a mandatory parameter, and must be one of the following values:

- getCredsMetadata (0x01)
- enumerateRPsBegin (0x02)
- enumerateRPsGetNextRP (0x03)
- enumerateCredentialsBegin (0x04)
- enumerateCredentialsGetNextCredential (0x05)
- deleteCredential (0x06)
- updateUserInformation (0x07)

Alternatively - you can use one of the command classes exposed by the SDK that represents the subcommand itself. Such a method is recommended as these command classes will only expose the parameters that are relevant to that subcommand.

SubCommandParameters

The encoded params for the specified subcommand. If a subcommand has no parameters, this will be null.

public ReadOnlyMemory<byte>? SubCommandParameters { get; }

Property Value

ReadOnlyMemory<byte>?

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This version of the CreateCommandApdu method will build the APDU for the authenticatorCredentialManagement command. That is, it is equivalent to calling CreateCommandApdu(false).

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateCommandApdu(bool)

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu(bool isPreview)

Parameters

isPreview bool

Indicates whether this command should use the CredentialMgmtPreview command (true) or authenticatorCredentialManagement (false). This is an optional arg, and if not given the default will be false.

Returns

CommandApdu

Remarks

This version of the CreateCommandApdu method contains an arg indicating whether it should build an APDU for the CredentialMgmtPreview command (true) or for the authenticatorCredentialManagement command (false).

The authenticatorCredentialManagement command was introduced in FIDO2.1. Hence, YubiKeys that do not support 2.1 will not have this feature. However, there was a version "2_1_PRE" which contained the "CredentialMgmtPreview" command. Each "credMgmt" command has a corresponding operation in this preview command.

If the YubiKey does not support "credMgmt" but does support "CredentialMgmtPreview", then pass true as the isPreview arg. Otherwise, either pass false to this method or call the CreateCommandApdu method that take no argument.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public CredentialManagementResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

CredentialManagementResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.