Class MakeCredentialParameters
This collects and encodes the information needed to make a FIDO2 credential.
public class MakeCredentialParameters
- Inheritance
-
objectMakeCredentialParameters
Remarks
There are ten elements that are inputs to a FIDO2 credential (see section 6.1 of the FIDO2 standard). Four of them are required and six are optional.
When you need to make a new credential, you will collect all the required
along with any optional parameters and build an instance of this class.
Then pass that object to the MakeCredential
method or command.
Constructors
MakeCredentialParameters(RelyingParty, UserEntity)
Constructs a new instance of MakeCredentialParameters using the default preferred algorithm
public MakeCredentialParameters(RelyingParty relyingParty, UserEntity userEntity)
Parameters
relyingParty
RelyingPartyThe relying party for which the credential is to be created. This constructor copies a reference to the input object.
userEntity
UserEntityThe user for which the credential is to be created. This constructor copies a reference to the input object.
Remarks
Note that a UserEntity
is a required element in order to make
a credential. The standard specifies that the UserEntity
is
made up of an ID
, a Name
, and a DisplayName
.
The standard also says the Name
and DisplayName
are
optional. It should be possible to make a credential using a
UserEntity
that contains only an ID
. However, YubiKeys
prior to version 5.3.0 require a Name
in order to make a
credential.
One of the required elements of the MakeCredential
parameters
is a list of supported algorithms (a type and algorithm pair,
Algorithms). Hence, you must supply at least one
algorithm, which will be the preferred one. Currently the only
algorithm supported by the YubiKey is the pair
"public-key"/ECDSA with SHA-256
. To build this parameters
object with that credential type, use this constructor, which will
add it by default. If you want to specify something other than the
default, use the constructor that takes in an algorithmType
and algorithm
.
It is possible to add more types later using the method AddAlgorithm(string, CoseAlgorithmIdentifier).
MakeCredentialParameters(RelyingParty, UserEntity, string, CoseAlgorithmIdentifier)
Constructs a new instance of MakeCredentialParameters setting the preferred algorithm to something other than the default.
public MakeCredentialParameters(RelyingParty relyingParty, UserEntity userEntity, string algorithmType, CoseAlgorithmIdentifier algorithm)
Parameters
relyingParty
RelyingPartyThe relying party for which the credential is to be created. This constructor copies a reference to the input object.
userEntity
UserEntityThe user for which the credential is to be created. This constructor copies a reference to the input object.
algorithmType
stringThe type of type and algorithm that is the caller's preferred choice.
algorithm
CoseAlgorithmIdentifierThe algorithm of type and algorithm that is the caller's preferred choice.
Remarks
Note that a UserEntity
is a required element in order to make
a credential. The standard specifies that the UserEntity
is
made up of an ID
, a Name
, and a DisplayName
.
The standard also says the Name
and DisplayName
are
optional. It should be possible to make a credential using a
UserEntity
that contains only an ID
. However, YubiKeys
prior to version 5.3.0 require a Name
in order to make a
credential.
One of the required elements of the MakeCredential
parameters
is a list of supported algorithms (a type and algorithm pair,
Algorithms). Hence, you must supply at least one
algorithm, which will be the preferred one. Currently the only
algorithm supported by the YubiKey is the pair
"public-key"/ECDSA with SHA-256
. To build this parameters
object with that credential type, use the constructor that adds it be
default. If you want to specify something other than the default, use
this constructor.
It is possible to add more types later using the method AddAlgorithm(string, CoseAlgorithmIdentifier).
Properties
Algorithms
The list of supported algorithms for credential generation. This is the "pubKeyCredParams" in the standard (FIDO2 section 6.1).
public IReadOnlyList<Tuple<string, CoseAlgorithmIdentifier>> Algorithms { get; }
Property Value
- IReadOnlyList<Tuple<string, CoseAlgorithmIdentifier>>
Remarks
Each entry in the list is a type and algorithm. Neither the type nor
algorithm are guaranteed to be unique, although each combination is.
Currently, the only type defined is "public-key". The only algorithm
the YubiKey supports is ECDSA with SHA-256 using the NIST P-256
curve. This is the pair
"public-key"/CoseAlgorithmIdentifier.ES256
.
To add an entry to the list, call AddAlgorithm(string, CoseAlgorithmIdentifier).
ClientDataHash
The original clientDataHash
that was provided by the client.
It contains the challenge. This is a required element.
public ReadOnlyMemory<byte> ClientDataHash { get; set; }
Property Value
- ReadOnlyMemory<byte>
EnterpriseAttestation
Specifies whether an enterprise attestation is to be returned along with the credential, and if so, which kind. This is an optional parameter, so it is can be null.
public EnterpriseAttestation? EnterpriseAttestation { get; set; }
Property Value
Remarks
See also the documentation for EnterpriseAttestation.
Not all authenticators support enterprise attestation (check the
Options
property of AuthenticatorInfo). If a
YubiKey does not support this option, setting this property (even
setting it to None
) will generate an error return.
Furthermore, if an authenticator supports only vendor-facilitated attestation, the standard allows treating a request for platform-managed attestation as a request for vendor-facilitated.
ExcludeList
The list of credentialIds for which the authenticator should not create a new credential. This is an optional parameter, so it can be null.
public IReadOnlyList<CredentialId>? ExcludeList { get; }
Property Value
- IReadOnlyList<CredentialId>
Remarks
To add an entry to the list, call ExcludeCredential(CredentialId).
Extensions
The list of extensions. This is an optional parameter, so it can be null.
public IReadOnlyDictionary<string, byte[]>? Extensions { get; }
Property Value
- IReadOnlyDictionary<string, byte[]>
Remarks
To add an entry to the list, call AddExtension(string, byte[]).
Each extension is a key/value pair. All keys are strings, but each extension has its own definition of a value. It could be an int, or it could be a map containing a string and a boolean,. It is the caller's responsibility to encode the value.
For each value, the standard (or the vendor in the case of vendor-defined extensions) will define the structure of the value. From that structure the value can be encoded following CBOR rules. The result of the encoding the value is what is stored in this dictionary.
Options
The list of authenticator options. Each standard-defined option is a key/value pair, where the key is a string and the value is a boolean. This is an optional parameter, so it can be null.
public IReadOnlyDictionary<string, bool>? Options { get; }
Property Value
- IReadOnlyDictionary<string, bool>
Remarks
To add options, call AddOption(string, bool).
PinUvAuthParam
The result of calling the PinProtocol's method AuthenticateUsingPinToken(byte[], byte[]) using the PIN token as the key and the client data hash as the message. This is an optional parameter, so it can be null.
public ReadOnlyMemory<byte>? PinUvAuthParam { get; set; }
Property Value
- ReadOnlyMemory<byte>?
Remarks
In order to obtain the pinUvAuthParam
, choose a protocol and
build the appropriate PinUvAuthProtocolBase object.
Obtain the YubiKey's Key Agreement public key and call the protocol
object's Encapsulate
method. Next obtain the PIN token.
Finally, call the protocol object's
AuthenticateUsingPinToken(byte[], byte[])
method using the
ClientDataHash
as the message to authenticate. Note that the
first argument in this call is the PIN token, which is an encrypted
value. Do not decrypt the PIN token. The result of that
authentication operation is the PinUvAuthParam
Protocol
The protocol chosen by the platform. This is an optional parameter, so it can be null.
public PinUvAuthProtocol? Protocol { get; set; }
Property Value
RelyingParty
The relying party's ID, along with an optional descriptive string. This is a required element.
public RelyingParty RelyingParty { get; set; }
Property Value
UserEntity
The user's ID, along with optional descriptive strings. This is a required element.
public UserEntity UserEntity { get; set; }
Property Value
Remarks
Note that a UserEntity
is a required element in order to make
a credential. The standard specifies that the UserEntity
is
made up of an ID
, a Name
, and a DisplayName
.
The standard also says the Name
and DisplayName
are
optional. It should be possible to make a credential using a
UserEntity
that contains only an ID
. However, YubiKeys
prior to version 5.3.0 require a Name
in order to make a
credential.
Methods
AddAlgorithm(string, CoseAlgorithmIdentifier)
Add an entry to Algorithms.
public void AddAlgorithm(string algorithmType, CoseAlgorithmIdentifier algorithm)
Parameters
algorithmType
stringalgorithm
CoseAlgorithmIdentifier
AddCredBlobExtension(byte[], AuthenticatorInfo)
Add the "credBlob" extension. Note that the credBlob extension is valid only for discoverable credentials.
public void AddCredBlobExtension(byte[] credBlobValue, AuthenticatorInfo authenticatorInfo)
Parameters
credBlobValue
byte[]The data to add as the "credBlob" extension.
authenticatorInfo
AuthenticatorInfoThe FIDO2
AuthenticatorInfo
for the YubiKey being used.
Remarks
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the credBlobValue
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, verify the data length, use the
appropriate extensionString
, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension, and whether the data provided is
within the YubiKey's range for "credBlob". The standard specifies
that the maximum credBlob length is at least 32 bytes. The
AuthenticatorInfo
contains the property
MaximumCredentialBlobLength
, which is the length the YubiKey
supports. If the YubiKey does not support the "credBlob" extension,
or the data is too long, this method will throw an exception.
The caller supplies the un-encoded credBlobValue
. This method
will encode it.
The credBlob data will be returned when the credential is used to get an assertion. When building the GetAssertion parameters, the caller must specify that the YubiKey return the credBlob. See RequestCredBlobExtension(). The assertion returned will contain the credBlob. The data will be returned in the AuthenticatorData and can be retrieved using GetCredBlobExtension()
Exceptions
- ArgumentNullException
The
credBlobValue
orauthenticatorInfo
arg is null.- ArgumentException
The YubiKey does not support this extension, or the value's length was invalid.
AddCredProtectExtension(CredProtectPolicy, bool, AuthenticatorInfo)
Add the "credProtect" extension, specifying the protection policy the YubiKey is to use when getting assertions.
public void AddCredProtectExtension(CredProtectPolicy credProtectPolicy, bool enforceCredProtectPolicy, AuthenticatorInfo authenticatorInfo)
Parameters
credProtectPolicy
CredProtectPolicyThe "credProtect" policy the YubiKey is to follow when making the credential.
enforceCredProtectPolicy
boolDetermines the behavior taken when the authenticator does not support the requested credProtect extension. Throws NotSupportedException when true, returns silently without adding the extension when false.
authenticatorInfo
AuthenticatorInfoThe FIDO2
AuthenticatorInfo
for the YubiKey being used.
Remarks
Section 12.1 of the FIDO2 CTAP 2.1 standard specifies this extension.
There are two parts: what the relying party communicates to the
client, and what the client communicates to the authenticator. This
class, MakeCredentialParameters
, builds the parameters for the
message from the client to the authenticator. Hence, this method will
build the extension in the structure specified by the standard in the
message from the client to the YubiKey.
Note that the standard specifies that the the message from RP to client contains the same information as the message from the client to the authenticator, just in a different format. Furthermore, the message from the RP to the client contains extra information, namely a boolean indicating the RP's request on how to handle the case where the authenticator does not support user verification (UV). That boolean is not passed down to the YubiKey and it is the responsibility of the client to handle that logic.
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the credProtectPolicy
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, verify the data, use the
appropriate >extensionString
, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension, and whether the data provided is
correct for the YubiKey's support for "credProtect".
The standard defines three policies:
UserVerificationOptional
UserVerificationOptionalWithCredentialIDList
UserVerificationRequired
The SDK provides for one more option: None
.
The policy UserVerificationOptionalWithCredentialIDList
means
that the authenticator may or may not enforce UV if the request for
an assertion is accompanied by a credential ID (see the
allowList
in GetAssertionParameters). If there
is no credential ID (no allowList
), then UV is required to get
an assertion.
You can see the "credProtect" policy in the
MakeCredentialData.AuthenticatorData.Extensions
property once
the credential has been made. See
GetCredProtectExtension().
Note that while the "credProtect" policy refers to how the credential
is protected when getting an assertion, the "credProtect" policy is
not returned by the YubiKey in the
GetAssertionData.AuthenticatorData.Extensions
.
If you pass None
as the credProtectPolicy
, this method
will do nothing and return. The "credProtect" policy of the
credential will be the YubiKey's default.
Exceptions
- ArgumentNullException
The
authenticatorInfo
arg is null.- NotSupportedException
The YubiKey does not support this extension, or the input values were not correct.
AddCredProtectExtension(CredProtectPolicy, AuthenticatorInfo)
Add the "credProtect" extension, specifying the protection policy the YubiKey is to use when getting assertions.
public void AddCredProtectExtension(CredProtectPolicy credProtectPolicy, AuthenticatorInfo authenticatorInfo)
Parameters
credProtectPolicy
CredProtectPolicyThe "credProtect" policy the YubiKey is to follow when making the credential.
authenticatorInfo
AuthenticatorInfoThe FIDO2
AuthenticatorInfo
for the YubiKey being used.
Remarks
Section 12.1 of the FIDO2 CTAP 2.1 standard specifies this extension.
There are two parts: what the relying party communicates to the
client, and what the client communicates to the authenticator. This
class, MakeCredentialParameters
, builds the parameters for the
message from the client to the authenticator. Hence, this method will
build the extension in the structure specified by the standard in the
message from the client to the YubiKey.
Note that the standard specifies that the the message from RP to client contains the same information as the message from the client to the authenticator, just in a different format. Furthermore, the message from the RP to the client contains extra information, namely a boolean indicating the RP's request on how to handle the case where the authenticator does not support user verification (UV). That boolean is not passed down to the YubiKey and it is the responsibility of the client to handle that logic.
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the credProtectPolicy
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, verify the data, use the
appropriate >extensionString
, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension, and whether the data provided is
correct for the YubiKey's support for "credProtect".
The standard defines three policies:
UserVerificationOptional
UserVerificationOptionalWithCredentialIDList
UserVerificationRequired
The SDK provides for one more option: None
.
The policy UserVerificationOptionalWithCredentialIDList
means
that the authenticator may or may not enforce UV if the request for
an assertion is accompanied by a credential ID (see the
allowList
in GetAssertionParameters). If there
is no credential ID (no allowList
), then UV is required to get
an assertion.
You can see the "credProtect" policy in the
MakeCredentialData.AuthenticatorData.Extensions
property once
the credential has been made. See
GetCredProtectExtension().
Note that while the "credProtect" policy refers to how the credential
is protected when getting an assertion, the "credProtect" policy is
not returned by the YubiKey in the
GetAssertionData.AuthenticatorData.Extensions
.
If you pass None
as the credProtectPolicy
, this method
will do nothing and return. The "credProtect" policy of the
credential will be the YubiKey's default.
Exceptions
- ArgumentNullException
The
authenticatorInfo
arg is null.- NotSupportedException
The YubiKey does not support this extension, or the input values were not correct.
AddExtension(string, byte[])
Add an entry to the extensions list.
public void AddExtension(string extensionKey, byte[] encodedValue)
Parameters
extensionKey
stringThe key of key/value to add.
encodedValue
byte[]The CBOR-encoded value of key/value to add.
Remarks
If there is no list yet when this method is called, one will be created. That is, even if the Extensions is null, you can call the method to add an entry.
Each extension is a key/value pair. For each extension the key is a string (such as "credProtect" or "hmac-secret"). However, each value is different. There will be a definition of the value that accompanies each key. It will be possible to encode that definition using the rules of CBOR. The caller supplies the key and the encoded value. This method copies a reference to the byte array value.
Exceptions
- ArgumentNullException
The
extensionKey
orencodedValue
arg is null.
AddHmacSecretExtension(AuthenticatorInfo)
Add the "hmac-secret" extension, meaning the YubiKey will generate a secret value to be associated with the credential made. When getting an assertion, it will be possible to get the secret value. Note that the hmac-secret extension is valid for both discoverable and non-discoverable credentials.
public void AddHmacSecretExtension(AuthenticatorInfo authenticatorInfo)
Parameters
authenticatorInfo
AuthenticatorInfoThe FIDO2
AuthenticatorInfo
for the YubiKey being used.
Remarks
Because this extension is used more often, a dedicated method is
provided as a convenience. There is no need for the caller to
encode the hmacSecretValue
. That is, this is essentially the
same as calling AddExtension
, except this method will verify
the YubiKey supports the extension, and encode the value.
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension.
The hmac-secret data will be returned when the credential is used to get an assertion. When building the GetAssertion parameters, the caller must specify that the YubiKey return the hmac-secret. See RequestHmacSecretExtension(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>?). The assertion returned will contain the hmac-secret output. The result will be returned in the AuthenticatorData and can be retrieved using GetHmacSecretExtension(PinUvAuthProtocolBase)
Exceptions
- ArgumentNullException
The
authenticatorInfo
arg is null.- ArgumentException
The YubiKey does not support this extension.
AddMinPinLengthExtension(AuthenticatorInfo)
Specify that the YubiKey should return the minimum PIN length with the credential.
public void AddMinPinLengthExtension(AuthenticatorInfo authenticatorInfo)
Parameters
authenticatorInfo
AuthenticatorInfoThe FIDO2
AuthenticatorInfo
for the YubiKey being used.
Remarks
Because this extension is used more often, a dedicated method is provided as a convenience. Note that the minimum PIN length is visible to only those RPs who have permission. See the documentation for TrySetPinConfig(int?, IReadOnlyList<string>?, bool?) and the User's Manual entry on the minimum PIN length.
When the YubiKey makes the credential, it will be sent to the relying party. At that point, the relying party can reject it. One reason an RP might reject a credential is if the minimum PIN length is too short.
If the RP for which the credential is being built is not allowed to see the minimum PIN length, the YubiKey will simply not return the minimum PIN length. This is not an error. The credential will be made, but it will not contain the minimum PIN length.
If the minimum PIN length is returned with the credential, it will be in the AuthenticatorData and can be retrieved using GetMinPinLengthExtension()
The caller supplies the AuthenticatorInfo
for the YubiKey,
obtained by calling the GetInfoCommand or
providing the AuthenticatorInfo property.
This method will determine from the authenticatorInfo
whether
the YubiKey supports this extension.
AddOption(string, bool)
Add an entry to the list of options.
public void AddOption(string optionKey, bool optionValue)
Parameters
optionKey
stringThe option to add. This is the key of the option key/value pair.
optionValue
boolThe value this option will possess.
Remarks
If the Options
list already contains an entry with the given
optionKey
, this method will replace it.
Note that the standard specifies valid option keys. Currently they are "rk", "up", and "uv". This method will accept any key given and pass it to the YubiKey. If an invalid key is used, the YubiKey will return an error.
Exceptions
- ArgumentNullException
The
optionKey
arg is null.
CborEncode()
Return a new byte array that is the object encoded following the FIDO2/CBOR standard.
public byte[] CborEncode()
Returns
- byte[]
The encoded construct.
Exceptions
- InvalidOperationException
The object contains no data.
ExcludeCredential(CredentialId)
Add an entry to the exclude list.
public void ExcludeCredential(CredentialId credentialId)
Parameters
credentialId
CredentialIdThe
credentialId
to add.
Remarks
If there is no list yet when this method is called, one will be created. That is, even if the ExcludeList is null, you can call the method to add an entry.
Exceptions
- ArgumentNullException
The
credentialId
arg is null.