AddCredProtectExtension Method

AddCredProtectExtension(CredProtectPolicy, Boolean, AuthenticatorInfo)

Add the "credProtect" extension, specifying the protection policy the YubiKey is to use when getting assertions.

public void AddCredProtectExtension(CredProtectPolicy credProtectPolicy, bool enforceCredProtectPolicy, AuthenticatorInfo authenticatorInfo)

Parameters

Type	Name	Description
CredProtectPolicy	credProtectPolicy	The "credProtect" policy the YubiKey is to follow when making the credential.
System.Boolean	enforceCredProtectPolicy	Determines the behavior taken when the authenticator does not support the requested credProtect extension. Throws NotSupportedException when true, returns silently without adding the extension when false.
AuthenticatorInfo	authenticatorInfo	The FIDO2 `AuthenticatorInfo` for the YubiKey being used.

Exceptions

Type	Condition
System.ArgumentNullException	The `authenticatorInfo` arg is null.
System.NotSupportedException	The YubiKey does not support this extension, or the input values were not correct.

Remarks

Section 12.1 of the FIDO2 CTAP 2.1 standard specifies this extension. There are two parts: what the relying party communicates to the client, and what the client communicates to the authenticator. This class, MakeCredentialParameters, builds the parameters for the message from the client to the authenticator. Hence, this method will build the extension in the structure specified by the standard in the message from the client to the YubiKey.

Note that the standard specifies that the the message from RP to client contains the same information as the message from the client to the authenticator, just in a different format. Furthermore, the message from the RP to the client contains extra information, namely a boolean indicating the RP's request on how to handle the case where the authenticator does not support user verification (UV). That boolean is not passed down to the YubiKey and it is the responsibility of the client to handle that logic.

Because this extension is used more often, a dedicated method is provided as a convenience. There is no need for the caller to encode the credProtectPolicy. That is, this is essentially the same as calling AddExtension, except this method will verify the YubiKey supports the extension, verify the data, use the appropriate >extensionString, and encode the value.

The caller supplies the AuthenticatorInfo for the YubiKey, obtained by calling the GetInfoCommand or providing the AuthenticatorInfo property.

This method will determine from the authenticatorInfo whether the YubiKey supports this extension, and whether the data provided is correct for the YubiKey's support for "credProtect".

The standard defines three policies:

   UserVerificationOptional
   UserVerificationOptionalWithCredentialIDList
   UserVerificationRequired

The SDK provides for one more option: None.

The policy UserVerificationOptionalWithCredentialIDList means that the authenticator may or may not enforce UV if the request for an assertion is accompanied by a credential ID (see the allowList in GetAssertionParameters). If there is no credential ID (no allowList), then UV is required to get an assertion.

You can see the "credProtect" policy in the MakeCredentialData.AuthenticatorData.Extensions property once the credential has been made. See GetCredProtectExtension().

Note that while the "credProtect" policy refers to how the credential is protected when getting an assertion, the "credProtect" policy is not returned by the YubiKey in the GetAssertionData.AuthenticatorData.Extensions.

If you pass None as the credProtectPolicy, this method will do nothing and return. The "credProtect" policy of the credential will be the YubiKey's default.

AddCredProtectExtension(CredProtectPolicy, AuthenticatorInfo)