AuthenticateDecryptResponse Class
Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dllThe response to the authenticate: decrypt command, containing the plaintext result of the YubiKey's private key operation.
public sealed class AuthenticateDecryptResponse : AuthenticateResponse, IYubiKeyResponseWithData<byte[]>, IYubiKeyResponse
Remarks
This is the partner Response class to AuthenticateDecryptCommand.
The data returned by GetData
is a byte array,
containing the decrypted data. The data will be the same size as the key.
That is, for a 1024-bit RSA key, the decrypted data is 128 bytes, for
a 2048-bit key, the decrypted data is 256 bytes, for
a 3072-bit key, the decrypted data is 384 bytes, and for
a 4096-bit key, the decrypted data is 512 bytes.
The data returned is almost certainly formatted, either using PKCS 1 v. 1.5 or OAEP. It is the responsibility of the caller to extract the actual plaintext from the formatted data. For example, if the data to encrypt had originally been 32 bytes (possibly a 256-bit AES key) formatted using PKCS 1 v.1.5, and the RSA key is 1024 bits, then the decrypted data will look like this:
00 02 <93 random, non-zero bytes> 00 <32-byte plaintext>
OAEP is much more complicated. To learn about this formatting, see RFC 8017.
GetData
will throw an exception when the Status
is not Success
. This includes when the response indicates
AuthenticationRequired
, which
means the process was not completed because the wrong or no PIN was
entered, or the YubiKey was not touched within the time period. That
is, it is not an error, the process is simply incomplete.
Nonetheless, in that case the method will throw an exception.
Note that whether the PIN and/or touch is required depends on the PIN and touch policies specified at the time of generation or import.
Example:
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var decryptCommand = new AuthenticateDecryptCommand(dataToDecrypt, PivSlot.KeyManagement);
AuthenticateDecryptResponse decryptResponse = connection.SendCommand(decryptCommand);
if (decryptResponse.Status != ResponseStatus.Success)
{
// handle error
}
byte[] decryptedData = decryptResponse.GetData();
Constructors
Name | Description |
---|---|
AuthenticateDecryptResponse(ResponseApdu) | Constructs an AuthenticateDecryptResponse based on a ResponseApdu received from the YubiKey. |