Table of Contents

Class CompleteAuthenticateManagementKeyCommand

Namespace
Yubico.YubiKey.Piv.Commands
Assembly
Yubico.YubiKey.dll

Complete the process to authenticate the PIV management key.

public sealed class CompleteAuthenticateManagementKeyCommand : IYubiKeyCommand<CompleteAuthenticateManagementKeyResponse>
Inheritance
object
CompleteAuthenticateManagementKeyCommand
Implements

Remarks

In the PIV standard, there is a command called GENERAL AUTHENTICATE. Although it is one command, it can do four things: authenticate a management key (challenge-response), sign arbitrary data, RSA decryption, and EC Diffie-Hellman. The SDK breaks these four operations into separate classes. This class is how you complete the process of performing "GENERAL AUTHENTICATE: management key".

The partner Response class is CompleteAuthenticateManagementKeyResponse.

See the comments for the class InitializeAuthenticateManagementKeyCommand, there is a lengthy discussion of the process of authenticating the management key, including descriptions of the challenges and responses.

When you pass a management key to this class (the management key to authenticate), the class will copy it, use it immediately, and overwrite the local buffer. The class will not keep a reference to your key data. Because of this, you can overwrite the management key data immediately upon return from the constructor if you want. See the User's Manual entry on sensitive data for more information on this topic.

This class will need a random number generator and either a triple-DES or AES object. It will get them from the CryptographyProviders class. That class will build default implementations. It is possible to change that class to build alternate versions. See the user's manual entry on alternate crypto for information on how to do so.

Constructors

CompleteAuthenticateManagementKeyCommand(InitializeAuthenticateManagementKeyResponse, ReadOnlySpan<byte>)

Build a new instance of the CompleteAuthenticateManagementKeyCommand class for the algorithm specified in initializeAuthenticationResponse.

public CompleteAuthenticateManagementKeyCommand(InitializeAuthenticateManagementKeyResponse initializeAuthenticationResponse, ReadOnlySpan<byte> managementKey)

Parameters

initializeAuthenticationResponse InitializeAuthenticateManagementKeyResponse

The Response Object from Step 1.

managementKey ReadOnlySpan<byte>

The bytes of the management key.

Remarks

The input Response Object is the successful Response from step 1. The response has information on whether the process was initiated for single or mutual authentication, along with the management key's algorithm. The object created using this constructor will therefore be able to perform the appropriate operations and build the appropriate APDU based on how the process was initiated.

This class will use the random number generator and Triple-DES or AES classes from CryptographyProviders. If you want this class to use classes other than the defaults, change them. See also the user's manual entry on alternate crypto for information on how to do so.

Exceptions

ArgumentNullException

The initializeAuthenticationResponse argument is null

InvalidOperationException

The initializeAuthenticationResponse argument does not represent a complete response.

ArgumentException

The managementKey argument is not a valid key, or the algorithm is not valid or does not match the data.

CryptographicException

The Triple-DES or AES operation failed.

Properties

Algorithm

Which algorithm is the management key.

public PivAlgorithm Algorithm { get; }

Property Value

PivAlgorithm

Application

Gets the YubiKeyApplication to which this command belongs. For this command it's PIV.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Piv

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public CompleteAuthenticateManagementKeyResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

CompleteAuthenticateManagementKeyResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.