SerializedLargeBlobArray Class

Namespace: Yubico.YubiKey.Fido2 Assembly: Yubico.YubiKey.dll

Contains the Serialized Large Blob Array data. See also the user's manual entry on large blobs.

C#
public class SerializedLargeBlobArray
Inheritance object SerializedLargeBlobArray

Remarks

The Large Blob data is stored on the YubiKey as a "Serialized Large Blob Array". This is the "Large Blob Array" followed by a message digest value:

Large Blob Array || digest value

The digest value is the first 16 bytes of the SHA-256 digest of the Large Blob Array.

The Large Blob Array is a CBOR array (major type 4). For example, an array of 3 elements is encoded as 

0x83  element0  element1  element2

A YubiKey begins with no Large Blob data. It is possible to retrieve the Serialized Large Blob Array and the result will be a zero-count array with digest value: 

80 76be8b528d0075f7aae98d6fa57a6d3c
The 80 is the Large Blob Array (an array with zero elements), followed by the first 16 bytes of the SHA-256 digest of the single byte 0x80.

Each element in the Large Blob Array is a CBOR map consisting of three key/value pairs: 

 A3                      -- map of 3 key/value pairs
   01  --byte string--    -- key = 1, value is a byte string
   02  --byte string--    -- key = 2, value is a byte string
   03  --unsigned int--   -- key = 3, value is an unsigned int
where the byte string for key 01 is the AEAD-AES-GCM ciphertext
  containing the encrypted data and an authentication tag
the byte string for key 02 is the AES-GCM nonce, 12 bytes
and the unsigned int is the length, in bytes, of the original,
  uncompressed data
The key used to encrypt is the LargeBlobKey There is a different LargeBlobKey for each credential. Hence, each element in the Large Blob Array is data associated with one credential.

This class is the input to the SetSerializedLargeBlobArray(SerializedLargeBlobArray). To set a Large Blob Array, get the current array (GetSerializedLargeBlobArray()) and remove, replace, or add entries. Even if there are no entries in the YubiKey (e.g. it is a new YubiKey with the initial serialized large blob array) get the current array.

To add an entry, you will need the LargeBlobKey for one of the credentials.

This class is also the return from GetSerializedLargeBlobArray(). After getting the array, if there are any elements, they will be encrypted. Determine which elements you want to decrypt, obtain the LargeBlobKey for the associated credential and call the decryption method.

Constructors

Name Description
SerializedLargeBlobArray(ReadOnlyMemory<byte>)

Build a new instance of SerializedLargeBlobArray based on the given CBOR encoding.

Properties

Name Description
Digest

The digest of the array elements (left 16 bytes of SHA-256).
EncodedArray

The encoded Large Blob Array. This is the data that is digested. That is, perform Left16Bytes(SHA-256(EncodedArray)) and it should equal the Digest.
Entries

The list of entries in the Large Blob Array.

Methods

Name Description
AddEntry(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>)

Add a new entry to the Entries. This method will build a new LargeBlobEntry from the blobData and the largeBlobKey
Encode()

Build the Serialized Large Blob Array. This builds the CBOR encoding of the large blob array, digests that array, and appends the digest.
IsDigestVerified()

Determine if the Digest verifies for the given EncodedArray.
RemoveEntry(int)

Remove the LargeBlobEntry at the given index from the Entries. Note that this can change the indices of the remaining entries.