Table of Contents

Class LargeBlobEntry

Namespace
Yubico.YubiKey.Fido2
Assembly
Yubico.YubiKey.dll

Contains the data from one entry in the Large Blob Array. See also the user's manual entry on large blobs.

public class LargeBlobEntry
Inheritance
object
LargeBlobEntry

Remarks

The SerializedLargeBlobArray class contains a List of LargeBlobEntry, this class. When you get a Large Blob Array from a YubiKey (GetSerializedLargeBlobArray()), you get a LargeBlobArray object. You then have access to each of the individual entries in the Large Blob Array through that list of LargeBlobEntry. If you want to add a new LargeBlobEntry to the Array's List, call the AddEntry(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>) method.

This class contains only properties and a TryDecrypt(ReadOnlyMemory<byte>, out Memory<byte>) method. You will not build an individual entry yourself, only the LargeBlobArray class can do that. But you will be able to see the data of the entry.

Properties

Ciphertext

The encrypted data. This is either the retrieved encrypted data when getting a Large Blob Array, or the provided data encrypted using the specified LargeBlobKey when creating a new entry to store. The last 16 bytes make up the GCM authentication tag.

public ReadOnlyMemory<byte> Ciphertext { get; }

Property Value

ReadOnlyMemory<byte>

Remarks

The plaintext data is compressed before encrypting.

Nonce

The nonce used to perform the AES-GCD operation. This is either the retrieved nonce when getting a Large Blob Array, or the generated nonce used when creating a new entry to store.

public ReadOnlyMemory<byte> Nonce { get; }

Property Value

ReadOnlyMemory<byte>

OriginalDataLength

The length, in bytes, of the unencrypted, uncompressed data. This is either the retrieved origSize in the Large Blob Map when getting a Large Blob Array, or the length, in bytes, of the provided data when creating a new entry to store.

public int OriginalDataLength { get; }

Property Value

int

Methods

TryDecrypt(ReadOnlyMemory<byte>, out Memory<byte>)

Try to decrypt the data using the given key. If the key is correct, this will set the return true and return the plaintext in the out argument (decrypted and decompressed).

public bool TryDecrypt(ReadOnlyMemory<byte> largeBlobKey, out Memory<byte> plaintext)

Parameters

largeBlobKey ReadOnlyMemory<byte>

The key to use to decrypt.

plaintext Memory<byte>

An output argument. A new object containing the plaintext if the decryption succeeds, or an empty Memory object otherwise.

Returns

bool

A boolean, true if the data is successfully decrypted using the given key, and false otherwise.

Remarks

Because the data is encrypted using AES-GCD, the ciphertext contains both the encrypted data and an "authentication tag". While any key will be able to decrypt the data and produce a result (some result), only the correct key will be able to authenticate the tag. Hence, this method will be able to determine whether the key provided was the correct key and the decrypted data is the correct data.

If the method is able to decrypt using the key, it will then decompress the decrypted data.

When reading a Large Blob Array, you will likely obtain the large blob data from the YubiKey, resulting in a SerializedLargeBlobArray object. At that point, each of the entries contain only the encrypted data. You will then obtain the LargeBlobKey from the target credential, and use it to try to decrypt the data of each entry in the Large Blob Array.

Note that the plaintext returned is a Memory object, not a ReadOnlyMemory object. This is so you can overwrite it for security reasons if you want.