AuthenticateSignResponse Class

Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dll

The response to the authenticate: sign command, containing the signature built by the YubiKey.

C#

public sealed class AuthenticateSignResponse : AuthenticateResponse, IYubiKeyResponseWithData<byte[]>, IYubiKeyResponse

Inheritance object YubiKeyResponse PivResponse AuthenticateResponse AuthenticateSignResponse

Implements

IYubiKeyResponseWithData<byte[]>

IYubiKeyResponse

Remarks

This is the partner Response class to AuthenticateSignCommand.

The data returned by GetData is a byte[]. The caller now owns that data and can overwrite the buffer when done with it.

If the data had been signed by an RSA key, the data will be random-looking data the same size as the key. That is, for a 1024-bit RSA key, the signature is 128 bytes, for a 2048-bit key, the signature is 256 bytes, for a 3072-bit key, the signature is 384 bytes, and for a 4096-bit key, the signature is 512 bytes.

If the data had been signed by an ECC key, the signature will be the DER encoding of the following ASN.1 definition.

SEQUENCE {
  r   INTEGER,
  s   INTEGER
}

Both r and s are the same size as the key, so will be 32 (ECC-P256), or 48 (ECC-P384) bytes long. It is possible that the encoding of r or s will be one extra bytes (a leading 00 byte), and it can be shorter. For example, the DER encoding can look like these:

30 44
   02 20
      61 0C ... B3       <-- 32 bytes
   02 20
      59 EA ... 52       <-- 32 bytes
30 64
   02 30
      7f 22 ... 10       <-- 48 bytes
   02 30
      29 F1 ... 41       <-- 48 bytes
30 65
   02 31
      00 B3 47 ... 9C    <-- 49 bytes
   02 30
      59 2D ... D8       <-- 48 bytes

GetData will throw an exception when the Status is not Success. This includes when the response indicates AuthenticationRequired, which means the process was not completed because the wrong or no PIN was entered, or the YubiKey was not touched within the time period. That is, it is not an error, the process is simply incomplete. Nonetheless, in that case the method will throw an exception.

Note that whether the PIN and/or touch is required depends on the PIN and touch policies specified at the time of generation or import.

Example:

/* This example assumes there is some code that will digest the data. */
byte[] sha384Digest = DigestDataToSign(SHA384, dataToSign);
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var signCommand = new AuthenticateSignCommand(sha384Digest, PivSlot.Signing);
AuthenticateSignResponse signResponse = connection.SendCommand(signCommand);
if (signResponse.Status != ResponseStatus.Success)
{
  // handle error
}
byte[] signature = signResponse.GetData();

Constructors

Name	Description
AuthenticateSignResponse(ResponseApdu)	Constructs an AuthenticateSignResponse based on a ResponseApdu received from the YubiKey.