Table of Contents

Class CredentialId

Namespace
Yubico.YubiKey.Fido2
Assembly
Yubico.YubiKey.dll

A FIDO2 credentialId, consisting of type, ID, and transports.

public class CredentialId
Inheritance
object
CredentialId

Remarks

A credential ID is how credentials can be identified. That is, there should be a one-to-one correspondence between credentials and credentialIds. When you make a new credential, the YubiKey will build a credentialId and store the credential against this value. Later on, you can enumerate the credentials on a YubiKey, which will return each credentialId.

The FIDO2 standard defines a "credentialId" as a PublicKeyCredentialDescriptor, which is defined in the W3C standard. The W3C standard defines a PublicKeyCredentialDescriptor as a "dictionary" consisting of a type, id, and an optional sequence of transports. The W3C standard further defines the id as a "Credential ID". That is, there is a "credentialId" in FIDO2 and a "Credential ID" in W3C, however, they are not the same thing. This class is a FIDO2 "credentialId".

Currently only one type is supported: the string "public-key". However, the standard also allows authenticators to support non-standard values.

The id is a byte array. It can be random (at least 16 bytes long), or it can be encrypted identifying data.

The transports are defined as a sequence (list) of supported strings describing transport methods. Currently, a list of transports will be a subset of the following strings: "usb", "nfc", "ble", "hybrid", and "internal".

The two or three elements that make up a credentialId can be CBOR-encoded into a single byte array. For example, when a YubiKey returns a credentialId (e.g. when enumerating), it is encoded. To decode the value into its component parts, use this class.

Constructors

CredentialId()

Constructs a new instance of CredentialId.

public CredentialId()

CredentialId(ReadOnlyMemory<byte>, out int)

Constructs a new instance of CredentialId from the encodedCredentialId.

public CredentialId(ReadOnlyMemory<byte> encodedCredentialId, out int bytesRead)

Parameters

encodedCredentialId ReadOnlyMemory<byte>

The CBOR encoding of the credential ID.

bytesRead int

The constructor will return the number of bytes read.

Remarks

This constructor expects the encoding to follow this CBOR template.

map {
  "type"        --text string--
  "id"          --text string--
  "transports"  --array of strings-- (optional)
}

Exceptions

Ctap2DataException

The encodedCredentialId is not a correct encoding.

Properties

Id

The id component of the credentialId.

public ReadOnlyMemory<byte> Id { get; set; }

Property Value

ReadOnlyMemory<byte>

Transports

The transports component of the credentialId. This is an optional parameter, so it can be null.

public IReadOnlyList<string>? Transports { get; }

Property Value

IReadOnlyList<string>

Remarks

The transports component of the credentialId can contain more than one transport. To add an entry to the list, call AddTransport(string).

The standard defines some strings, and allows for vendor- or application-defined values as well. The standard-defined strings are in the class AuthenticatorTransports.

Type

The type component of the credentialId.

public string Type { get; set; }

Property Value

string

Remarks

Upon construction, this property will be set to "public-key".

Currently, the only type specified is the string "public-key". If you do not want to use any other value, do not set this property.

However, the standard also allows authenticators to support non-standard values. That is, an authenticator must support the standard type, and is allowed to support only the standard type, but is also allowed to support non-standard types.

While using a non-standard value will likely yield an error from the YubiKey, this class will follow the standard and allow for non-standard types.

Methods

AddTransport(string)

Add an entry to the list of transports.

public void AddTransport(string transport)

Parameters

transport string

The transport to add.

Remarks

If there is no list yet when this method is called, one will be created. That is, even if the Transports property is null, you can call the method to add an entry.

The standard defines some specific strings to use with some transports. These specific strings are defined in the AuthenticatorTransports static class. For example, to add the USB transport, call 

credentialId.AddTransport(AuthenticatorTransports.Usb);

The standard also specifies that is is permissible to add non-standard transports.

Exceptions

ArgumentNullException

The transport arg is null.

CborEncode()

Return a new byte array that is the object encoded following the FIDO2/CBOR standard.

public byte[] CborEncode()

Returns

byte[]

The encoded construct.

Exceptions

InvalidOperationException

The object contains no data.