Show / Hide Table of Contents

AuthenticateDecryptCommand Class

Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dll

Decrypt data using the private RSA key in one of the PIV slots.

C#
public sealed class AuthenticateDecryptCommand : AuthenticateCommand, IYubiKeyCommand<AuthenticateDecryptResponse>
Inheritance object AuthenticateCommand AuthenticateDecryptCommand
Implements
IYubiKeyCommand<AuthenticateDecryptResponse>

Remarks

In the PIV standard, there is a command called GENERAL AUTHENTICATE. Although it is one command, it can do four things: authenticate a management key (challenge-response), sign arbitrary data, RSA decryption, and EC Diffie-Hellman. The SDK breaks these four operations into separate classes. This class is how you perform "GENERAL AUTHENTICATE: RSA Decryption".

The partner Response class is AuthenticateDecryptResponse.

Use this Command class only if the slot selected holds an RSA private key. If the private key in a slot called upon to perform this command is ECC, the YubiKey will return an error. While there is an algorithm known as "EC Encryption Scheme" (aka "EC El Gamal"), the YubiKey does not support it. Hence, this command will not be able to decrypt using an EC key. Therefore, you should know which algorithm (and size) the key in the requested slot is before calling on this class.

In order to decrypt, it is possible you must verify the PIN. The PIN is not part of this command. For information on how to verify a PIN in order to perform operations, see the User's Manual entry on PIV commands access control.

The caller supplies the slot to use. Slot 9D is the "key management" slot, but any PIV slot that holds a private key, other then F9, will be able to decrypt (as long as it contains an RSA private key). That is, any PIV slot other than 80, 81, 9B, or F9 will be able to decrypt. Note that slot F9 contains the attestation key, which will sign a certificate it creates, but it cannot decrypt.

The caller supplies the data to decrypt. It must be a block the same size as the key. For an RSA-1024 key, the block must be 128 bytes, for an RSA-2048 key, the block must be 256 bytes, for an RSA-3072 key, the block must be 384 bytes, and for an RSA-4096 key, the block must be 512 bytes. If the actual data to decrypt is shorter, it must be provided with as many prepended 00 bytes as needed to make sure the block is the appropriate length.

This class will copy a reference to the data to decrypt, so you should not clear or alter that input data until this class is done with it, which is after the call to SendCommand.

Example:

IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var decryptCommand = new AuthenticateDecryptCommand(dataToDecrypt, PivSlot.KeyManagement);
AuthenticateDecryptResponse decryptResponse = connection.SendCommand(decryptCommand);
if (decryptResponse.Status != ResponseStatus.Success)
{
  // handle error
}
byte[] decryptedData = decryptResponse.GetData();

Constructors

Name Description
AuthenticateDecryptCommand(ReadOnlyMemory<byte>, byte)

Initializes a new instance of the AuthenticateDecryptCommand class. This command takes the slot number and the data to decrypt.

Methods

Name Description
CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

In this article
Back to top Generated by DocFX