GetSerializedLargeBlobArray Method

GetSerializedLargeBlobArray()

Get the current Serialized Large Blob Array out of the YubiKey. See also the User's Manual entry on large blobs.

C#
public SerializedLargeBlobArray GetSerializedLargeBlobArray()

Returns

A new instance of the SerializedLargeBlobArray class containing the currently stored large blob data.

Exceptions

Type Condition
NotSupportedException

The YubiKey selected does not support large blobs.

Remarks

Note that this feature is not available on all YubiKeys. To determine if large blobs are supported on a YubiKey, check the Options in the AuthenticatorInfo property of this class. For example,

OptionValue optionValue =
    fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.largeBlobs);
if (optionValue != OptionValue.True)
{
    return;
}
int maxLargeBlobsLength = authInfo.MaximumSerializedLargeBlobArray ?? 0;

A serialized large blob array is the large blob array concatenated with the digest of the array. The digest is the first 16 bytes (left 16 bytes) of the SHA-256 of the CBOR-encoded array.

Once you have the object containing the data, it is possible to read each entry by decrypting, using the appropriate LargeBlobKey. Each entry is encrypted using the large blob key of one of the credentials (each credential has a different large blob key). The standard specifies obtaining a large blob key (likely from a GetAssertion call), and trying to decrypt each entry in the array using that key. If it succeeds, that entry is associated with the credential and the decrypted data will be returned. See also TryDecrypt(ReadOnlyMemory<byte>, out Memory<byte>)

A YubiKey is manufactured with the initial large blob data, which is an array of zero elements plus the digest of the CBOR-encoding of a zero-element array. An array with zero elements is simply the single byte 0x80. Hence, there will always be a current large blob array to retrieve.

The standard specifies that when reading a serialized large blob array, a client must verify the digest. If the digest does not verify, the standard specifically says, "the configuration is corrupt and the platform MUST discard it and act as if the initial serialized large-blob array was received." This method will verify the digest value. If the digest does not verify, this method will return a new SerializedLargeBlobArray containing the initial value. It will not overwrite the data on the YubiKey, so you can still use the GetLargeBlobCommand to get the raw data.

Because writing to the large blob area in a YubiKey means overwriting the existing data, it is recommended that to add to, remove from, or "edit" the large blob data, the caller should get the current large blob array, operate on the resulting SerializedLargeBlobArray, and then call SetSerializedLargeBlobArray(SerializedLargeBlobArray) with the updated data. Even if your application has not updated the large blob array, it is possible another application has stored data and you likely do not want to overwrite that data.