Table of Contents

Class MakeCredentialData

Namespace
Yubico.YubiKey.Fido2
Assembly
Yubico.YubiKey.dll

Contains the data returned by the YubiKey after making a credential.

public class MakeCredentialData
Inheritance
object
MakeCredentialData

Remarks

When a new credential is made, the YubiKey returns data about that credential, including attestation information. There are several elements in this data and this structure contains those elements.

Constructors

MakeCredentialData(ReadOnlyMemory<byte>)

Build a new instance of MakeCredentialData based on the given CBOR encoding.

public MakeCredentialData(ReadOnlyMemory<byte> cborEncoding)

Parameters

cborEncoding ReadOnlyMemory<byte>

The credential data, encoded following the CTAP 2.1 and CBOR (RFC 8949) standards.

Remarks

The encoding must follow the definition of authenticatorMakeCredential response structure in section 6.1.2 of the CTAP 2.1 standard.

Exceptions

Ctap2DataException

The cborEncoding is not a valid CBOR encoding, or it is not a correct encoding for FIDO2 credential data.

Properties

AttestationAlgorithm

The algorithm used to create the attestation statement.

public CoseAlgorithmIdentifier AttestationAlgorithm { get; }

Property Value

CoseAlgorithmIdentifier

AttestationCertificates

This array contains the certificate for the public key that can be used to verify that the attestation statement, and possibly CA certificates that chain to a root. This is an optional element so it can be null.

public IReadOnlyList<X509Certificate2>? AttestationCertificates { get; }

Property Value

IReadOnlyList<X509Certificate2>

Remarks

The first cert in this list (AttestationCertificates[0]) will be the certificate that contains the public key that will verify the AttestationStatement. The data to verify is the AuthenticatorData concatenated with the client data hash (from the MakeCredentialParameters).

AttestationStatement

The signature that is the attestation statement, which can be used to verify that the public key credential was generated by the YubiKey. This is an optional element so it can be null.

public ReadOnlyMemory<byte> AttestationStatement { get; }

Property Value

ReadOnlyMemory<byte>

Remarks

Use the public key in the zero'th element of the AttestationCertificates to verify this signature. If no attestation certificate is provided, the authenticator assumes the entity that must verify the signature will have access to the appropriate cert.

The data to verify is the AuthenticatorData concatenated with the client data hash (from the MakeCredentialParameters).

AuthenticatorData

The object that contains both the encoded authenticator data, which is to be used in verifying the attestation statement, and the decoded elements, including the credential itself, a public key.

public AuthenticatorData AuthenticatorData { get; }

Property Value

AuthenticatorData

Remarks

Save the public key in this object and use it to verify assertions returned by calling GetAssertion.

EncodedAttestationStatement

The encoded CBOR map that describes the attestation statement.

public ReadOnlyMemory<byte> EncodedAttestationStatement { get; }

Property Value

ReadOnlyMemory<byte>

Remarks

The other members of this class make it easy to access the individual elements of the attestation statement and supporting structures. This property returns the raw, CBOR encoded attestation statement returned by the YubiKey. This is useful if you are implementing or interoperating with the WebAuthn data types. It is often easier to copy this field over in its encoded form rather than using the parsed properties.

For example: the WebAuthn MakeCredential operation expects an "attestation object" be returned. This is a CBOR map containing the "format", "attStmt", and "authData" - the keys given in string form. The "authData" is the CBOR encoded AuthenticatorData further encoded in Base64URL. The "attStmt" is the CBOR map that contains the AttestationAlgorithm, AttestationStatement, and AttestationCertificates.

Rather than reconstructing the CBOR map, we provide it here for you, already in encoded form.

EnterpriseAttestation

Indicates whether an enterprise attestation was returned. This is an optional value, so if the YubiKey did not return this element, the property will be null.

public bool? EnterpriseAttestation { get; }

Property Value

bool?

Remarks

If there is no enterprise attestation entry in the response (this property is null), or if there was (this property is not null) and it is false, then there was no enterprise attestation statement returned. If there was an entry (this property is not null) and the value is true, then there was an enterprise attestation statement returned.

Extensions

The list of extensions. This is an optional value and can be null.

public IReadOnlyDictionary<string, byte[]>? Extensions { get; }

Property Value

IReadOnlyDictionary<string, byte[]>

Remarks

Each extension is a key/value pair. All keys are strings, but each extension has its own definition of a value. It could be an int, or it could be a map containing a string and a boolean,. It is the caller's responsibility to decode the value.

For each value, the standard (or the vendor in the case of vendor-defined extensions) will define the structure of the value. From that structure the value can be decoded following CBOR rules. The encoded value is what is stored in this dictionary.

Format

The attestation statement format identifier.

public string Format { get; }

Property Value

string

LargeBlobKey

If this is not null, it is the large blob key (see section 12.3 of the CTAP2 standard). This is an optional element so it can be null.

public ReadOnlyMemory<byte>? LargeBlobKey { get; }

Property Value

ReadOnlyMemory<byte>?

RawData

This returns the raw CBOR encoded credential data from the YubiKey, as returned by the MakeCredential operation.

public ReadOnlyMemory<byte> RawData { get; }

Property Value

ReadOnlyMemory<byte>

Methods

VerifyAttestation(ReadOnlyMemory<byte>)

Use the zero'th public key in the AttestationCertificates list to verify the AuthenticatorData and client data hash using the signature that is the AttestationStatement.

public bool VerifyAttestation(ReadOnlyMemory<byte> clientDataHash)

Parameters

clientDataHash ReadOnlyMemory<byte>

The client data hash sent to the YubiKey to make the credential.

Returns

bool

A boolean, true if the attestation statement (the signature) verifies, false otherwise.

Remarks

If the signature verifies, this method will return true, and if it does not verify, it will return false. If there are no certificates in the list, this method will throw an exception.

Exceptions

InvalidOperationException

There is no cert in the attestation certificate list.