SerializedLargeBlobArray Class
Namespace: Yubico.YubiKey.Fido2 Assembly: Yubico.YubiKey.dllContains the Serialized Large Blob Array data. See also the user's manual entry on large blobs.
public class SerializedLargeBlobArray : Object
Remarks
The Large Blob data is stored on the YubiKey as a "Serialized Large Blob Array". This is the "Large Blob Array" followed by a message digest value:
Large Blob Array || digest value
The digest value is the first 16 bytes of the SHA-256 digest of the Large Blob Array.
The Large Blob Array is a CBOR array (major type 4). For example, an array of 3 elements is encoded as
0x83 element0 element1 element2
A YubiKey begins with no Large Blob data. It is possible to retrieve the Serialized Large Blob Array and the result will be a zero-count array with digest value:
80 76be8b528d0075f7aae98d6fa57a6d3c
The 80
is the Large Blob Array (an array with zero elements),
followed by the first 16 bytes of the SHA-256 digest of the single byte
0x80
.
Each element in the Large Blob Array is a CBOR map consisting of three key/value pairs:
A3 -- map of 3 key/value pairs
01 --byte string-- -- key = 1, value is a byte string
02 --byte string-- -- key = 2, value is a byte string
03 --unsigned int-- -- key = 3, value is an unsigned int
where the byte string for key 01 is the AEAD-AES-GCM ciphertext
containing the encrypted data and an authentication tag
the byte string for key 02 is the AES-GCM nonce, 12 bytes
and the unsigned int is the length, in bytes, of the original,
uncompressed data
The key used to encrypt is the LargeBlobKey
There is a different
LargeBlobKey
for each credential. Hence, each element in the Large
Blob Array is data associated with one credential.
This class is the input to the SetSerializedLargeBlobArray(SerializedLargeBlobArray). To set a Large Blob Array, get the current array (GetSerializedLargeBlobArray()) and remove, replace, or add entries. Even if there are no entries in the YubiKey (e.g. it is a new YubiKey with the initial serialized large blob array) get the current array.
To add an entry, you will need the LargeBlobKey
for one of the
credentials.
This class is also the return from
GetSerializedLargeBlobArray(). After getting the
array, if there are any elements, they will be encrypted. Determine which
elements you want to decrypt, obtain the LargeBlobKey
for the
associated credential and call the decryption method.
Constructors
Name | Description |
---|---|
SerializedLargeBlobArray(ReadOnlyMemory<Byte>) | Build a new instance of SerializedLargeBlobArray based on the given CBOR encoding. |
Properties
Name | Description |
---|---|
Digest | The digest of the array elements (left 16 bytes of SHA-256). |
EncodedArray | The encoded Large Blob Array. This is the data that is digested. That is, perform Left16Bytes(SHA-256(EncodedArray)) and it should equal the Digest. |
Entries | The list of entries in the Large Blob Array. |
Methods
Name | Description |
---|---|
AddEntry(ReadOnlyMemory<Byte>, ReadOnlyMemory<Byte>) | Add a new entry to the Entries. This method will
build a new LargeBlobEntry from the |
Encode() | Build the Serialized Large Blob Array. This builds the CBOR encoding of the large blob array, digests that array, and appends the digest. |
IsDigestVerified() | Determine if the Digest verifies for the given EncodedArray. |
RemoveEntry(Int32) | Remove the |