GetSerializedLargeBlobArray Method
GetSerializedLargeBlobArray()
Get the current Serialized Large Blob Array
out of the
YubiKey. See also the
User's Manual entry on large
blobs.
public SerializedLargeBlobArray GetSerializedLargeBlobArray()
Returns
A new instance of the SerializedLargeBlobArray class containing the currently stored large blob data.
Exceptions
Type | Condition |
---|---|
System.NotSupportedException | The YubiKey selected does not support large blobs. |
Remarks
Note that this feature is not available on all YubiKeys. To determine if large blobs are supported on a YubiKey, check the Options in the AuthenticatorInfo property of this class. For example,
OptionValue optionValue =
fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.largeBlobs);
if (optionValue != OptionValue.True)
{
return;
}
int maxLargeBlobsLength = authInfo.MaximumSerializedLargeBlobArray ?? 0;
A serialized large blob array is the large blob array concatenated with the digest of the array. The digest is the first 16 bytes (left 16 bytes) of the SHA-256 of the CBOR-encoded array.
Once you have the object containing the data, it is possible to read
each entry by decrypting, using the appropriate LargeBlobKey
.
Each entry is encrypted using the large blob key of one of the
credentials (each credential has a different large blob key). The
standard specifies obtaining a large blob key (likely from a
GetAssertion
call), and trying to decrypt each entry in the
array using that key. If it succeeds, that entry is associated with
the credential and the decrypted data will be returned. See also
TryDecrypt(ReadOnlyMemory<Byte>, out Memory<Byte>)
A YubiKey is manufactured with the initial large blob data, which is
an array of zero elements plus the digest of the CBOR-encoding of a
zero-element array. An array with zero elements is simply the single
byte 0x80
. Hence, there will always be a current large blob
array to retrieve.
The standard specifies that when reading a serialized large blob
array, a client must verify the digest. If the digest does not
verify, the standard specifically says, "the configuration is corrupt
and the platform MUST discard it and act as if the initial serialized
large-blob array was received." This method will verify the digest
value. If the digest does not verify, this method will return a new
SerializedLargeBlobArray
containing the initial value. It
will not overwrite the data on the YubiKey, so you can still use the
GetLargeBlobCommand to get the raw data.
Because writing to the large blob area in a YubiKey means overwriting
the existing data, it is recommended that to add to, remove from, or
"edit" the large blob data, the caller should get the current large
blob array, operate on the resulting SerializedLargeBlobArray
,
and then call SetSerializedLargeBlobArray(SerializedLargeBlobArray) with the
updated data. Even if your application has not updated the large blob
array, it is possible another application has stored data and you
likely do not want to overwrite that data.