AuthenticateDecryptResponse Class

Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dll

The response to the authenticate: decrypt command, containing the plaintext result of the YubiKey's private key operation.

C#

public sealed class AuthenticateDecryptResponse : AuthenticateResponse, IYubiKeyResponseWithData<byte[]>, IYubiKeyResponse

Inheritance object YubiKeyResponse PivResponse AuthenticateResponse AuthenticateDecryptResponse

Implements

IYubiKeyResponseWithData<byte[]>

IYubiKeyResponse

Remarks

This is the partner Response class to AuthenticateDecryptCommand.

The data returned by GetData is a byte array, containing the decrypted data. The data will be the same size as the key. That is, for a 1024-bit RSA key, the decrypted data is 128 bytes, for a 2048-bit key, the decrypted data is 256 bytes, for a 3072-bit key, the decrypted data is 384 bytes, and for a 4096-bit key, the decrypted data is 512 bytes.

The data returned is almost certainly formatted, either using PKCS 1 v. 1.5 or OAEP. It is the responsibility of the caller to extract the actual plaintext from the formatted data. For example, if the data to encrypt had originally been 32 bytes (possibly a 256-bit AES key) formatted using PKCS 1 v.1.5, and the RSA key is 1024 bits, then the decrypted data will look like this:

00 02 <93 random, non-zero bytes> 00 <32-byte plaintext>

OAEP is much more complicated. To learn about this formatting, see RFC 8017.

GetData will throw an exception when the Status is not Success. This includes when the response indicates AuthenticationRequired, which means the process was not completed because the wrong or no PIN was entered, or the YubiKey was not touched within the time period. That is, it is not an error, the process is simply incomplete. Nonetheless, in that case the method will throw an exception.

Note that whether the PIN and/or touch is required depends on the PIN and touch policies specified at the time of generation or import.

Example:

IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var decryptCommand = new AuthenticateDecryptCommand(dataToDecrypt, PivSlot.KeyManagement);
AuthenticateDecryptResponse decryptResponse = connection.SendCommand(decryptCommand);
if (decryptResponse.Status != ResponseStatus.Success)
{
  // handle error
}
byte[] decryptedData = decryptResponse.GetData();

Constructors

Name	Description
AuthenticateDecryptResponse(ResponseApdu)	Constructs an AuthenticateDecryptResponse based on a ResponseApdu received from the YubiKey.