AuthenticateSignResponse Class

Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dll

The response to the authenticate: sign command, containing the signature built by the YubiKey.

public sealed class AuthenticateSignResponse : AuthenticateResponse, IYubiKeyResponseWithData<byte[]>, IYubiKeyResponse

Inheritance System.Object YubiKeyResponse PivResponse AuthenticateResponse AuthenticateSignResponse

Implements

IYubiKeyResponseWithData<System.Byte[]>

IYubiKeyResponse

Remarks

This is the partner Response class to AuthenticateSignCommand.

The data returned by GetData is a byte[]. The caller now owns that data and can overwrite the buffer when done with it.

If the data had been signed by an RSA key, the data will be random-looking data the same size as the key. That is, for a 1024-bit RSA key, the signature is 128 bytes, and for a 2048-bit key, the signature is 256 bytes.

If the data had been signed by an ECC key, the signature will be the DER encoding of the following ASN.1 definition.

   SEQUENCE {
     r   INTEGER,
     s   INTEGER
   }

Both r and s are the same size as the key, so will be 32 (ECC-P256), or 48 (ECC-P384) bytes long. It is possible that the encoding of r or s will be one extra bytes (a leading 00 byte), and it can be shorter. For example, the DER encoding can look like these:

  30 44
     02 20
        61 0C ... B3       <-- 32 bytes
     02 20
        59 EA ... 52       <-- 32 bytes
  30 64
     02 30
        7f 22 ... 10       <-- 48 bytes
     02 30
        29 F1 ... 41       <-- 48 bytes
  30 65
     02 31
        00 B3 47 ... 9C    <-- 49 bytes
     02 30
        59 2D ... D8       <-- 48 bytes

GetData will throw an exception when the Status is not Success. This includes when the response indicates AuthenticationRequired, which means the process was not completed because the wrong or no PIN was entered, or the YubiKey was not touched within the time period. That is, it is not an error, the process is simply incomplete. Nonetheless, in that case the method will throw an exception.

Note that whether the PIN and/or touch is required depends on the PIN and touch policies specified at the time of generation or import.

Example:

  /* This example assumes there is some code that will digest the data. */
  byte[] sha384Digest = DigestDataToSign(SHA384, dataToSign);

  IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);

  var signCommand = new AuthenticateSignCommand(sha384Digest, PivSlot.Signing);
  AuthenticateSignResponse signResponse = connection.SendCommand(signCommand);

  if (signResponse.Status != ResponseStatus.Success)
  {
    // handle error
  }
  byte[] signature = signResponse.GetData();

Constructors

Name	Description
AuthenticateSignResponse(ResponseApdu)	Constructs an AuthenticateSignResponse based on a ResponseApdu received from the YubiKey.