AddCredProtectExtension Method
AddCredProtectExtension(CredProtectPolicy, Boolean, AuthenticatorInfo)
Add the "credProtect" extension, specifying the protection policy the YubiKey is to use when getting assertions.
public void AddCredProtectExtension(CredProtectPolicy credProtectPolicy, bool enforceCredProtectPolicy, AuthenticatorInfo authenticatorInfo)
Parameters
Type | Name | Description |
---|---|---|
CredProtectPolicy | credProtectPolicy | The "credProtect" policy the YubiKey is to follow when making the credential. |
System.Boolean | enforceCredProtectPolicy | Determines the behavior taken when the authenticator does not support the requested credProtect extension. Throws NotSupportedException when true, returns silently without adding the extension when false. |
AuthenticatorInfo | authenticatorInfo | The FIDO2 |
Exceptions
Type | Condition |
---|---|
System.ArgumentNullException | The |
System.NotSupportedException | The YubiKey does not support this extension, or the input values were not correct. |
Remarks
Section 12.1 of the FIDO2 CTAP 2.1 standard specifies this extension.
There are two parts: what the relying party communicates to the
client, and what the client communicates to the authenticator. This
class, MakeCredentialParameters
, builds the parameters for the
message from the client to the authenticator. Hence, this method will
build the extension in the structure specified by the standard in the
message from the client to the YubiKey.
Note that the standard specifies that the the message from RP to client contains the same information as the message from the client to the authenticator, just in a different format. Furthermore, the message from the RP to the client contains extra information, namely a boolean indicating the RP's request on how to handle the case where the authenticator does not support user verification (UV). That boolean is not passed down to the YubiKey and it is the responsibility of the client to handle that logic.
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the credProtectPolicy
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, verify the data, use the
appropriate >extensionString
, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension, and whether the data provided is
correct for the YubiKey's support for "credProtect".
The standard defines three policies:
UserVerificationOptional
UserVerificationOptionalWithCredentialIDList
UserVerificationRequired
The SDK provides for one more option: None
.
The policy UserVerificationOptionalWithCredentialIDList
means
that the authenticator may or may not enforce UV if the request for
an assertion is accompanied by a credential ID (see the
allowList
in GetAssertionParameters). If there
is no credential ID (no allowList
), then UV is required to get
an assertion.
You can see the "credProtect" policy in the
MakeCredentialData.AuthenticatorData.Extensions
property once
the credential has been made. See
GetCredProtectExtension().
Note that while the "credProtect" policy refers to how the credential
is protected when getting an assertion, the "credProtect" policy is
not returned by the YubiKey in the
GetAssertionData.AuthenticatorData.Extensions
.
If you pass None
as the credProtectPolicy
, this method
will do nothing and return. The "credProtect" policy of the
credential will be the YubiKey's default.
AddCredProtectExtension(CredProtectPolicy, AuthenticatorInfo)
Add the "credProtect" extension, specifying the protection policy the YubiKey is to use when getting assertions.
public void AddCredProtectExtension(CredProtectPolicy credProtectPolicy, AuthenticatorInfo authenticatorInfo)
Parameters
Type | Name | Description |
---|---|---|
CredProtectPolicy | credProtectPolicy | |
AuthenticatorInfo | authenticatorInfo |
Exceptions
Type | Condition |
---|---|
System.ArgumentNullException | The |
System.NotSupportedException | The YubiKey does not support this extension, or the input values were not correct. |
Remarks
Section 12.1 of the FIDO2 CTAP 2.1 standard specifies this extension.
There are two parts: what the relying party communicates to the
client, and what the client communicates to the authenticator. This
class, MakeCredentialParameters
, builds the parameters for the
message from the client to the authenticator. Hence, this method will
build the extension in the structure specified by the standard in the
message from the client to the YubiKey.
Note that the standard specifies that the the message from RP to client contains the same information as the message from the client to the authenticator, just in a different format. Furthermore, the message from the RP to the client contains extra information, namely a boolean indicating the RP's request on how to handle the case where the authenticator does not support user verification (UV). That boolean is not passed down to the YubiKey and it is the responsibility of the client to handle that logic.
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the credProtectPolicy
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, verify the data, use the
appropriate >extensionString
, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension, and whether the data provided is
correct for the YubiKey's support for "credProtect".
The standard defines three policies:
UserVerificationOptional
UserVerificationOptionalWithCredentialIDList
UserVerificationRequired
The SDK provides for one more option: None
.
The policy UserVerificationOptionalWithCredentialIDList
means
that the authenticator may or may not enforce UV if the request for
an assertion is accompanied by a credential ID (see the
allowList
in GetAssertionParameters). If there
is no credential ID (no allowList
), then UV is required to get
an assertion.
You can see the "credProtect" policy in the
MakeCredentialData.AuthenticatorData.Extensions
property once
the credential has been made. See
GetCredProtectExtension().
Note that while the "credProtect" policy refers to how the credential
is protected when getting an assertion, the "credProtect" policy is
not returned by the YubiKey in the
GetAssertionData.AuthenticatorData.Extensions
.
If you pass None
as the credProtectPolicy
, this method
will do nothing and return. The "credProtect" policy of the
credential will be the YubiKey's default.