Table of Contents

Class PinUvAuthProtocolTwo

Namespace
Yubico.YubiKey.Fido2.PinProtocols
Assembly
Yubico.YubiKey.dll

This class contains methods that perform the platform operations of FIDO2's PIN/UV auth protocol two.

public class PinUvAuthProtocolTwo : PinUvAuthProtocolBase
Inheritance
object
PinUvAuthProtocolTwo
Inherited Members

Constructors

PinUvAuthProtocolTwo()

Constructs a new instance of PinUvAuthProtocolTwo.

public PinUvAuthProtocolTwo()

Methods

Authenticate(byte[])

Returns the result of computing HMAC-SHA-256 on the given message using the AuthenticationKey. With protocol 1, the result is the first 16 bytes of the HMAC, and with protocol 2 it is the entire 32-byte result.

public override byte[] Authenticate(byte[] message)

Parameters

message byte[]

The data to be authenticated.

Returns

byte[]

A new byte array containing the authentication result.

Exceptions

ArgumentNullException

The message argument is null.

InvalidOperationException

The object has been created or initialized, but the Encapsulate(CoseKey) method has not been called.

Authenticate(byte[], byte[])

Returns the result of computing HMAC-SHA-256 on the given message using the provided keyData. With protocol 1, the result is the first 16 bytes of the HMAC, and with protocol 2 it is the entire 32-byte result.

protected override byte[] Authenticate(byte[] keyData, byte[] message)

Parameters

keyData byte[]

The key to use to authenticate.

message byte[]

The data to be authenticated.

Returns

byte[]

A new byte array containing the authentication result.

Exceptions

ArgumentNullException

The keyData or message argument is null.

Decrypt(byte[], int, int)

Returns the AES-256-CBC decryption of ciphertext using an IV specified by the protocol and the EncryptionKey. With protocol 1 the IV is all 00 bytes. With protocol 2, it is the first block size bytes of ciphertext.

public override byte[] Decrypt(byte[] ciphertext, int offset, int length)

Parameters

ciphertext byte[]

The data to decrypt.

offset int

The offset in ciphertext where the method will begin decrypting.

length int

The number of bytes to decrypt.

Returns

byte[]

A new byte array containing the decrypted data.

Remarks

Note that this method will verify that the input buffer, offset, and length are valid.

Exceptions

ArgumentNullException

The ciphertext argument is null.

InvalidOperationException

The object has been created or initialized, but the Encapsulate(CoseKey) method has not been called.

ArgumentException

The length of the ciphertext is not a multiple of the AES block size (16 bytes).

DeriveKeys(byte[])

The key derivation function to run while performing ECDH. This will derive both the EncryptionKey and the AuthenticationKey.

protected override void DeriveKeys(byte[] buffer)

Parameters

buffer byte[]

The shared value computed by ECDH.

Exceptions

ArgumentNullException

The buffer argument is null.

InvalidOperationException

The HMAC with SHA-256 provider failed.

Dispose(bool)

Release resources, overwrite sensitive data.

protected override void Dispose(bool disposing)

Parameters

disposing bool

Encrypt(byte[], int, int)

Returns the AES-256-CBC encryption of plaintext using an IV specified by the protocol and the EncryptionKey. With protocol 1 the IV is all 00 bytes. With protocol 2, it is a new, random value.

public override byte[] Encrypt(byte[] plaintext, int offset, int length)

Parameters

plaintext byte[]

The data to encrypt.

offset int

The offset in plaintext where the method will begin encrypting.

length int

The number of bytes to encrypt.

Returns

byte[]

A new byte array containing the encrypted data. With protocol 2, the ciphertext is actually the concatenation of the IV and the encrypted data.

Exceptions

ArgumentNullException

The plaintext argument is null.

InvalidOperationException

The object has been created or initialized, but the Encapsulate(CoseKey) method has not been called.

ArgumentException

The length of the plaintext is not a multiple of the AES block size (16 bytes).