Class MakeCredentialData
Contains the data returned by the YubiKey after making a credential.
public class MakeCredentialData
- Inheritance
-
objectMakeCredentialData
Remarks
When a new credential is made, the YubiKey returns data about that credential, including attestation information. There are several elements in this data and this structure contains those elements.
Constructors
MakeCredentialData(ReadOnlyMemory<byte>)
Build a new instance of MakeCredentialData based on the given CBOR encoding.
public MakeCredentialData(ReadOnlyMemory<byte> cborEncoding)
Parameters
cborEncoding
ReadOnlyMemory<byte>The credential data, encoded following the CTAP 2.1 and CBOR (RFC 8949) standards.
Remarks
The encoding must follow the definition of
authenticatorMakeCredential response structure
in section
6.1.2 of the CTAP 2.1 standard.
Exceptions
- Ctap2DataException
The
cborEncoding
is not a valid CBOR encoding, or it is not a correct encoding for FIDO2 credential data.
Properties
AttestationAlgorithm
The algorithm used to create the attestation statement.
public CoseAlgorithmIdentifier AttestationAlgorithm { get; }
Property Value
AttestationCertificates
This array contains the certificate for the public key that can be used to verify that the attestation statement, and possibly CA certificates that chain to a root. This is an optional element so it can be null.
public IReadOnlyList<X509Certificate2>? AttestationCertificates { get; }
Property Value
- IReadOnlyList<X509Certificate2>
Remarks
The first cert in this list (AttestationCertificates[0]
) will
be the certificate that contains the public key that will verify the
AttestationStatement. The data to verify is the
AuthenticatorData concatenated with the client data
hash (from the MakeCredentialParameters).
AttestationStatement
The signature that is the attestation statement, which can be used to verify that the public key credential was generated by the YubiKey. This is an optional element so it can be null.
public ReadOnlyMemory<byte> AttestationStatement { get; }
Property Value
- ReadOnlyMemory<byte>
Remarks
Use the public key in the zero'th element of the AttestationCertificates to verify this signature. If no attestation certificate is provided, the authenticator assumes the entity that must verify the signature will have access to the appropriate cert.
The data to verify is the AuthenticatorData concatenated with the client data hash (from the MakeCredentialParameters).
AuthenticatorData
The object that contains both the encoded authenticator data, which is to be used in verifying the attestation statement, and the decoded elements, including the credential itself, a public key.
public AuthenticatorData AuthenticatorData { get; }
Property Value
Remarks
Save the public key in this object and use it to verify assertions
returned by calling GetAssertion
.
EncodedAttestationStatement
The encoded CBOR map that describes the attestation statement.
public ReadOnlyMemory<byte> EncodedAttestationStatement { get; }
Property Value
- ReadOnlyMemory<byte>
Remarks
The other members of this class make it easy to access the individual elements of the attestation statement and supporting structures. This property returns the raw, CBOR encoded attestation statement returned by the YubiKey. This is useful if you are implementing or interoperating with the WebAuthn data types. It is often easier to copy this field over in its encoded form rather than using the parsed properties.
For example: the WebAuthn MakeCredential operation expects an "attestation object" be returned. This is a CBOR map containing the "format", "attStmt", and "authData" - the keys given in string form. The "authData" is the CBOR encoded AuthenticatorData further encoded in Base64URL. The "attStmt" is the CBOR map that contains the AttestationAlgorithm, AttestationStatement, and AttestationCertificates.
Rather than reconstructing the CBOR map, we provide it here for you, already in encoded form.
EnterpriseAttestation
Indicates whether an enterprise attestation was returned. This is an optional value, so if the YubiKey did not return this element, the property will be null.
public bool? EnterpriseAttestation { get; }
Property Value
- bool?
Remarks
If there is no enterprise attestation entry in the response (this
property is null), or if there was (this property is not null) and it
is false
, then there was no enterprise attestation statement
returned. If there was an entry (this property is not null) and the
value is true
, then there was an enterprise attestation
statement returned.
Extensions
The list of extensions. This is an optional value and can be null.
public IReadOnlyDictionary<string, byte[]>? Extensions { get; }
Property Value
- IReadOnlyDictionary<string, byte[]>
Remarks
Each extension is a key/value pair. All keys are strings, but each extension has its own definition of a value. It could be an int, or it could be a map containing a string and a boolean,. It is the caller's responsibility to decode the value.
For each value, the standard (or the vendor in the case of vendor-defined extensions) will define the structure of the value. From that structure the value can be decoded following CBOR rules. The encoded value is what is stored in this dictionary.
Format
The attestation statement format identifier.
public string Format { get; }
Property Value
- string
LargeBlobKey
If this is not null, it is the large blob key (see section 12.3 of the CTAP2 standard). This is an optional element so it can be null.
public ReadOnlyMemory<byte>? LargeBlobKey { get; }
Property Value
- ReadOnlyMemory<byte>?
RawData
This returns the raw CBOR encoded credential data from the YubiKey, as returned by the MakeCredential operation.
public ReadOnlyMemory<byte> RawData { get; }
Property Value
- ReadOnlyMemory<byte>
Methods
VerifyAttestation(ReadOnlyMemory<byte>)
Use the zero'th public key in the
AttestationCertificates list to verify the
AuthenticatorData
and client data hash using the signature
that is the AttestationStatement.
public bool VerifyAttestation(ReadOnlyMemory<byte> clientDataHash)
Parameters
clientDataHash
ReadOnlyMemory<byte>The client data hash sent to the YubiKey to make the credential.
Returns
- bool
A boolean,
true
if the attestation statement (the signature) verifies,false
otherwise.
Remarks
If the signature verifies, this method will return true
, and
if it does not verify, it will return false
. If there are no
certificates in the list, this method will throw an exception.
Exceptions
- InvalidOperationException
There is no cert in the attestation certificate list.