Table of Contents

Class GenerateKeyPairCommand

Namespace
Yubico.YubiKey.Piv.Commands
Assembly
Yubico.YubiKey.dll

Generate a new asymmetric key pair.

public sealed class GenerateKeyPairCommand : IYubiKeyCommand<GenerateKeyPairResponse>
Inheritance
object
GenerateKeyPairCommand
Implements

Remarks

The partner Response class is GenerateKeyPairResponse.

In order to generate a key pair, you must authenticate the management key. The management key is not part of this command. For information on how to authenticate a management key in order to perform operations, see the User's Manual entry on PIV commands access control.

When you generate a key pair, you specify which slot will hold this new key. If there is a key in that slot already, this command will replace it. That old key will be gone and there will be nothing you can do to recover it. Hence, use this command with caution.

Note that this command will generate a key pair, and from the Response class you can retrieve the public key. However, you will still need to obtain a certificate for this private key outside of this SDK. Once you have the certificate, you can load it into the YubiKey using the Put Data command.

The PIN policy determines whether using the private key to sign or decrypt will require authenticating with the PIN or not. By default, the PIN policy is always require a PIN in order to use the key in that slot. See the User's Manual entry on PIN and touch policies for more information.

Similarly, the touch policy determines whether using the private key will require touch or not. The default is never.

Example:

IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
var generateKeyPairCommand = new GenerateKeyPairCommand(
    PivSlot.Signing, PivAlgorithm.EccP384, PivPinPolicy.Default, PivTouchPolicy.Default);
GenerateKeyPairResponse generateKeyPairResponse =
    connection.SendCommand(generateKeyPairCommand);
if (generateKeyPairCommand.Status != ResponseStatus.Success)
{
  // Handle error
}
PivPublicKey pubKey = generateKeyPairResponse.GetData();

Constructors

GenerateKeyPairCommand()

Initializes a new instance of the GenerateKeyPairCommand class. This command will set the PinPolicy and TouchPolicy to the defaults.

public GenerateKeyPairCommand()

Remarks

This constructor is provided for those developers who want to use the object initializer pattern. For example:

var command = new GenerateKeyPairCommand()
{
    SlotNumber = PivSlot.Authentication,
    Algorithm = PivAlgorithm.Rsa2048,
    PinPolicy = PivPinPolicy.Once,
};

There is no default slot number or algorithm, hence, for this command to be valid, the slot number and algorithm must be specified. So if you create an object using this constructor, you must set the SlotNumber and Algorithm properties at some time before using it. Otherwise you will get an exception when you do use it.

GenerateKeyPairCommand(byte, KeyType, PivPinPolicy, PivTouchPolicy)

public GenerateKeyPairCommand(byte slotNumber, KeyType keyType, PivPinPolicy pinPolicy, PivTouchPolicy touchPolicy)

Parameters

slotNumber byte
keyType KeyType
pinPolicy PivPinPolicy
touchPolicy PivTouchPolicy

GenerateKeyPairCommand(byte, PivAlgorithm, PivPinPolicy, PivTouchPolicy)

Initializes a new instance of the GenerateKeyPairCommand class. This command takes the slot number, algorithm, and PIN and touch policies as input.

public GenerateKeyPairCommand(byte slotNumber, PivAlgorithm algorithm, PivPinPolicy pinPolicy, PivTouchPolicy touchPolicy)

Parameters

slotNumber byte

The slot which will hold the private key.

algorithm PivAlgorithm

The algorithm (and size) of the key to generate.

pinPolicy PivPinPolicy

The PIN policy the key will have.

touchPolicy PivTouchPolicy

The touch policy the key will have.

Remarks

The slot number must be for a slot that holds an asymmetric key. See the User's Manual entry on PIV slots and PivSlot.

Note that the algorithm argument is of type PivAlgorithm, which includes None, TripleDes, and Pin. However, the only allowed values for this command are Rsa1024, Rsa2048, EccP256, and EccP384.

Both the touch policy and pin policy enum arguments have None as a possible value. This command, will treat a policy of None the same as Default.

Properties

Algorithm

The algorithm (and size) of the key to generate.

public PivAlgorithm Algorithm { get; set; }

Property Value

PivAlgorithm

The algorithm.

Exceptions

ArgumentException

The algorithm specified is not valid for key pair generation.

Application

Gets the YubiKeyApplication to which this command belongs. For this command it's PIV.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Piv

PinPolicy

The PIN policy the key will have. None is equivalent to Default.

public PivPinPolicy PinPolicy { get; set; }

Property Value

PivPinPolicy

The PIN policy.

SlotNumber

The slot for which a key pair will be generated.

public byte SlotNumber { get; set; }

Property Value

byte

The slot number, see PivSlot

Exceptions

ArgumentException

The slot specified is not valid for public key operations.

TouchPolicy

The touch policy the key will have. None is equivalent to Default.

public PivTouchPolicy TouchPolicy { get; set; }

Property Value

PivTouchPolicy

The touch policy.

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public GenerateKeyPairResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

GenerateKeyPairResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.