Table of Contents

Class CreateAttestationStatementCommand

Namespace
Yubico.YubiKey.Piv.Commands
Assembly
Yubico.YubiKey.dll

Build an attestation statement for a private key in a specified slot.

public sealed class CreateAttestationStatementCommand : IYubiKeyCommand<CreateAttestationStatementResponse>
Inheritance
object
CreateAttestationStatementCommand
Implements

Remarks

An attestation statement is an X.509 certificate. It verifies that a private key has been generated by the YubiKey. If the private key in a slot was imported, this command will not work.

The create attestation statement command is available on YubiKey version 4.3 and later.

The partner Response class is CreateAttestationStatementResponse.

It is possible to build attestation statements for keys in slots 9A, 9C, 9D, 9E, and 82 through 95. The certificate created will contain the public key partner to the private key in the cert, along with the YubiKey's serial number. The cert will be signed by the attestation key, the private key in slot F9.

Example:

using System.Security.Cryptography.X509Certificates;
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var createAttestationStatementCommand = new CreateAttestationStatementCommand (0x9A);
CreateAttestationStatementResponse createAttestationStatementResponse =
    connection.SendCommand(createAttestationStatementCommand);
if (createAttestationStatementResponse.Status != ResponseStatus.Success)
{
  // Handle error
}
X509Certificate2 attestationStatement = createAttestationStatementResponse.GetData();

Constructors

CreateAttestationStatementCommand()

Initializes a new instance of the CreateAttestationStatementCommand class.

public CreateAttestationStatementCommand()

Remarks

This constructor is provided for those developers who want to use the object initializer pattern. For example:

var command = new CreateAttestationStatementCommand()
{
    SlotNumber = PivSlot.Signing,
};

There is no default slot number, hence, for this command to be valid, the slot number must be specified. So if you create an object using this constructor, you must set the SlotNumber property at some time before using it. Otherwise you will get an exception when you do use it.

CreateAttestationStatementCommand(byte)

Initializes a new instance of the CreateAttestationStatementCommand class. This command takes the slot number as input.

public CreateAttestationStatementCommand(byte slotNumber)

Parameters

slotNumber byte

The slot number containing the key to attest.

Remarks

The slot number must be either 0x9A, 0x9C, 0x9D, 0x9E, or 82 through 95. These are the slots named, PivSlot.Authentication, PivSlot.Signing, PivSlot.KeyManagement, PivSlot.CardAuthentication, and PivSlot.Retired1 through PivSlot.Retired20

If the slot specified does not have a private key, the YubiKey will not build a certificate and return an error StatusWord.

Properties

Application

Gets the YubiKeyApplication to which this command belongs. For this command, it's PIV.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Piv

SlotNumber

The slot holding the key to be attested.

public byte SlotNumber { get; set; }

Property Value

byte

The slot number, see PivSlot

Exceptions

ArgumentException

The slot specified is not valid for attestation.

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

Exceptions

InvalidOperationException

The slot specified is not valid for attestation.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public CreateAttestationStatementResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

CreateAttestationStatementResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.