AuthenticateSignResponse Class
Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dllThe response to the authenticate: sign command, containing the signature built by the YubiKey.
public sealed class AuthenticateSignResponse : AuthenticateResponse, IYubiKeyResponseWithData<byte[]>, IYubiKeyResponse
Remarks
This is the partner Response class to AuthenticateSignCommand.
The data returned by GetData
is a byte[]
. The caller now
owns that data and can overwrite the buffer when done with it.
If the data had been signed by an RSA key, the data will be random-looking data the same size as the key. That is, for a 1024-bit RSA key, the signature is 128 bytes, for a 2048-bit key, the signature is 256 bytes, for a 3072-bit key, the signature is 384 bytes, and for a 4096-bit key, the signature is 512 bytes.
If the data had been signed by an ECC key, the signature will be the DER encoding of the following ASN.1 definition.
SEQUENCE {
r INTEGER,
s INTEGER
}
Both r and s are the same size as the key, so will be 32 (ECC-P256), or 48
(ECC-P384) bytes long. It is possible that the encoding of r or s will be
one extra bytes (a leading 00 byte), and it can be shorter. For example,
the DER encoding can look like these:
30 44
02 20
61 0C ... B3 <-- 32 bytes
02 20
59 EA ... 52 <-- 32 bytes
30 64
02 30
7f 22 ... 10 <-- 48 bytes
02 30
29 F1 ... 41 <-- 48 bytes
30 65
02 31
00 B3 47 ... 9C <-- 49 bytes
02 30
59 2D ... D8 <-- 48 bytes
GetData
will throw an exception when the Status
is not Success
. This includes when the response indicates
AuthenticationRequired
, which
means the process was not completed because the wrong or no PIN was
entered, or the YubiKey was not touched within the time period. That
is, it is not an error, the process is simply incomplete.
Nonetheless, in that case the method will throw an exception.
Note that whether the PIN and/or touch is required depends on the PIN and touch policies specified at the time of generation or import.
Example:
/* This example assumes there is some code that will digest the data. */
byte[] sha384Digest = DigestDataToSign(SHA384, dataToSign);
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var signCommand = new AuthenticateSignCommand(sha384Digest, PivSlot.Signing);
AuthenticateSignResponse signResponse = connection.SendCommand(signCommand);
if (signResponse.Status != ResponseStatus.Success)
{
// handle error
}
byte[] signature = signResponse.GetData();
Constructors
Name | Description |
---|---|
AuthenticateSignResponse(ResponseApdu) | Constructs an AuthenticateSignResponse based on a ResponseApdu received from the YubiKey. |