Class MakeCredentialData

Namespace

Yubico.YubiKey.Fido2

Assembly

Yubico.YubiKey.dll

Contains the data returned by the YubiKey after making a credential.

public class MakeCredentialData

Inheritance

object

MakeCredentialData

Extension Methods

PreviewSignExtensionMethods.GetPreviewSignGeneratedKey(MakeCredentialData)

Remarks

This includes the CTAP attestation object and CTAP-specific optional response fields such as enterprise attestation, large blob key, and unsigned extension outputs.

Constructors

MakeCredentialData(ReadOnlyMemory<byte>)

Build a new instance of MakeCredentialData based on the given CBOR encoding.

public MakeCredentialData(ReadOnlyMemory<byte> cborEncoding)

Parameters

cborEncoding ReadOnlyMemory<byte>

The credential data, encoded following the CTAP and CBOR (RFC 8949) standards.

Remarks

The encoding must follow the CTAP authenticatorMakeCredential response structure.

Exceptions

Ctap2DataException

The cborEncoding is not a valid CBOR encoding, or it is not a correct encoding for FIDO2 credential data.

Properties

AttestationAlgorithm

The algorithm used to create the attestation statement.

public CoseAlgorithmIdentifier AttestationAlgorithm { get; }

Property Value

CoseAlgorithmIdentifier

AttestationCertificates

This list contains the certificates from the attestation statement's x5c field. This is an optional element so it can be null.

public IReadOnlyList<X509Certificate2>? AttestationCertificates { get; }

Property Value

IReadOnlyList<X509Certificate2>

Remarks

The first cert in this list (AttestationCertificates[0]) will be the certificate that contains the public key used to verify the AttestationSignature. For packed attestation statements, the data to verify is the AuthenticatorData concatenated with the client data hash (from the MakeCredentialParameters).

AttestationObject

The parsed attestation object containing the format, authenticator data, and attestation statement.

public AttestationObject AttestationObject { get; }

Property Value

AttestationObject

AttestationSignature

The attestation signature bytes from the parsed attestation statement's sig field.

public ReadOnlyMemory<byte> AttestationSignature { get; }

Property Value

ReadOnlyMemory<byte>

Remarks

This property is populated for attestation statement formats parsed by this SDK. Use EncodedAttestationStatement when you need the full CBOR-encoded attestation statement map.

For packed attestation statements, the data to verify is the AuthenticatorData concatenated with the client data hash (from the MakeCredentialParameters).

AuthenticatorData

The object that contains both the encoded authenticator data, which is to be used in verifying the attestation statement, and the decoded elements, including the credential itself, a public key.

public AuthenticatorData AuthenticatorData { get; }

Property Value

AuthenticatorData

Remarks

Save the public key in this object and use it to verify assertions returned by calling GetAssertion.

EncodedAttestationStatement

The raw CBOR-encoded full attestation statement map from the attStmt field.

public ReadOnlyMemory<byte> EncodedAttestationStatement { get; }

Property Value

ReadOnlyMemory<byte>

Remarks

This contains the complete format-specific attestation statement, not only the sig field. Use AttestationSignature when only the signature bytes are needed.

EnterpriseAttestation

Indicates whether an enterprise attestation was returned.

public bool? EnterpriseAttestation { get; }

Property Value

bool?

Remarks

A value of true means enterprise attestation was returned. A value of false or null means enterprise attestation was not returned. The value is null when the response omits the optional enterprise attestation field.

Format

The attestation statement format identifier. See AttestationFormats for standard format identifiers.

public string Format { get; }

Property Value

string

LargeBlobKey

If this is not null, it is the large blob key (see section 12.3 of the CTAP2 standard). This is an optional element so it can be null.

public ReadOnlyMemory<byte>? LargeBlobKey { get; }

Property Value

ReadOnlyMemory<byte>?

RawData

The raw CBOR-encoded MakeCredential response from the YubiKey.

public ReadOnlyMemory<byte> RawData { get; }

Property Value

ReadOnlyMemory<byte>

UnsignedExtensionOutputs

Gets the unsigned extension outputs returned by the authenticator, if any.

public IReadOnlyDictionary<string, ReadOnlyMemory<byte>>? UnsignedExtensionOutputs { get; }

Property Value

IReadOnlyDictionary<string, ReadOnlyMemory<byte>>

Remarks

This dictionary contains extension outputs that are not included in the signed authenticator data.

Methods

VerifyAttestation(ReadOnlyMemory<byte>)

Use the zero'th public key in the AttestationCertificates list to verify the packed attestation statement signature over the AuthenticatorData and client data hash.

public bool VerifyAttestation(ReadOnlyMemory<byte> clientDataHash)

Parameters

clientDataHash ReadOnlyMemory<byte>

The client data hash sent to the YubiKey to make the credential.

Returns

bool

A boolean, true if the attestation statement signature is correct, false otherwise.

Remarks

This verifies only the correctness of the attestation signature. It does not establish whether the attestation certificate is trusted. Trust validation requires application-provided trust roots and certificate path validation, which this method does not perform. Applications should perform certificate path validation of AttestationCertificates externally. If there are no certificates in the list, this method will throw an exception.

Exceptions

InvalidOperationException

There is no cert in the attestation certificate list.

NotSupportedException

The attestation algorithm is not ES256, or the attestation certificate does not contain an ECDSA public key.