Class SetManagementKeyCommand
Set the value of the PIV management key.
public sealed class SetManagementKeyCommand : IYubiKeyCommand<SetManagementKeyResponse>
- Inheritance
-
objectSetManagementKeyCommand
- Implements
Remarks
The partner Response class is SetManagementKeyResponse.
The PIV management key is needed to perform some PIV operations, such as generating a key pair. See the User's Manual entry on PIV commands access control for information on when the management key is required.
Note that you need to authenticate the current PIV management key before setting it to a new value with this command.
Upon manufacture of a YubiKey, the PIV application begins with a default management key (see the User's Manual entry on the management key). This command changes it. Note that this command can be run at any time, either during initialization, later, to change from the default management key, or to change it again later on.
For YubiKeys before version 5.4.2, the management key is a Triple-DES key, so it is 24 byte long, no more, no less. It is binary. That's 192 bits. But note that because of "parity" bits, the actual bit strength of a Triple-DES key is 124 bits. And then further, there are attacks on Triple-DES that leave its effective bit strength at 112 bits.
Starting with YubiKey 5.4.2, it is possible to use an AES key as the management key. An AES key can be 128, 192, or 256 bits (16, 24, and 32 bytes respectively). If the YubiKey is version 5.4.2 or later, you can use this command to set the management key to any valid size of an AES key.
To determine if the YubiKey being set can have an AES management key, use
HasFeature
:
IYubiKeyDevice yubiKeyDevice;
bool aesCapable = yubiKeyDevice.HasFeature(YubiKeyFeature.PivManagementKeyAes);
Along with the key data itself, a management key has a touch policy.
Note: touch policy is available only on YubiKey 4 and later. A YubiKey prior to 4 will ignore the touch policy and simply perform its default.
The touch policy refers to whether use of the management key will require
touch or not, and if so, always or cached. The policy is specified using
the PivTouchPolicy
enum. If the input is None
or
Never
, the YubiKey will not require touch to complete an operation
that requires the management key. Always
means every operation
requires touch, even if the YubiKey had been touched for an operation
shortly before. If Cached
, one touch will last for 15 seconds.
That is, touch for an operation, and if a second operation requires the
management key, and it is executing less than 15 seconds after the first,
touch is not required. Default
will use the YubiKey's default
touch policy. Currently, for all YubiKeys, the default touch policy of
management keys is Never
.
When you pass the new management key to this class, it will copy a
reference to the object passed in, it will not copy the value. Because of
this, you cannot overwrite the key data until this object is done with
it. It will be safe to overwrite the key data after calling
connection.SendCommand
. See the User's Manual
entry on sensitive data for
more information on this topic.
Example:
/* This example assumes the application has a method to collect a
* management key.
*/
using System.Security.Cryptography;
byte[] mgmtKey;
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
mgmtKey = CollectMgmtKey();
var setManagementKeyCommand =
new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Never, PivAlgorithm.AES192);
SetManagementKeyResponse setManagementKeyResponse =
connection.SendCommand(setManagementKeyCommand);
if (setManagementKeyResponse != ResponseStatus.Success)
{
// Handle error
}
CryptographicOperations.ZeroMemory(mgmtKey);
Constructors
SetManagementKeyCommand(ReadOnlyMemory<byte>, PivAlgorithm)
Initializes a new instance of the SetManagementKeyCommand
class.
This command takes the new management key as input and will set the
TouchPolicy
to the default state and the Algorithm
to the algorithm provided.
public SetManagementKeyCommand(ReadOnlyMemory<byte> newKey, PivAlgorithm algorithm)
Parameters
newKey
ReadOnlyMemory<byte>The bytes that make up the new management key.
algorithm
PivAlgorithmThe algorithm of the new management key.
Remarks
This constructor is provided for those developers who want to use the object initializer pattern. For example:
var command = new SetManagementKeyCommand(keyData)
{
TouchPolicy = PivTouchPolicy.Cached,
Algorithm = PivAlgorithm.AES192,
};
Valid algorithms are PivAlgorithm.TripleDes
,
PivAlgorithm.Aes128
, PivAlgorithm.Aes192
, and
PivAlgorithm.Aes256
. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192
. YubiKeys with firmware versions prior to 5.4.2 can only use PivAlgorithm.TripleDes
.
Note that you need to authenticate the current PIV management key before setting it to a new value with this command.
SetManagementKeyCommand(ReadOnlyMemory<byte>, PivTouchPolicy, PivAlgorithm)
Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key, the touch policy, and the algorithm as input.
public SetManagementKeyCommand(ReadOnlyMemory<byte> newKey, PivTouchPolicy touchPolicy, PivAlgorithm algorithm)
Parameters
newKey
ReadOnlyMemory<byte>The bytes that make up the new management key.
touchPolicy
PivTouchPolicyThe touch policy for the management key.
algorithm
PivAlgorithmThe algorithm of the new management key.
Remarks
Note that a touchPolicy
of PivTouchPolicy.Default
or
None
is equivalent to Never
.
Valid algorithms are PivAlgorithm.TripleDes
,
PivAlgorithm.Aes128
, PivAlgorithm.Aes192
, and
PivAlgorithm.Aes256
. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192
. YubiKeys with firmware versions prior to 5.4.2 can only use PivAlgorithm.TripleDes
.
Note also that you need to authenticate the current PIV management key before setting it to a new value with this command.
Properties
Algorithm
The algorithm of the management key. On YubiKeys before version
5.4.2, only Triple-DES (PivAlgorithm.TripleDes
) is supported.
Beginning with 5.4.2, the Algorithm can be Aes128
,
Aes192
, Aes256
, or TripleDes
. The default is
TripleDes
for keys with firmware 5.6.x and earlier and Aes192
for YubiKeys with firmware 5.7.x and later.
public PivAlgorithm Algorithm { get; set; }
Property Value
Application
Gets the YubiKeyApplication to which this command belongs. For this command it's PIV.
public YubiKeyApplication Application { get; }
Property Value
- YubiKeyApplication
YubiKeyApplication.Piv
TouchPolicy
The touch policy the key will have. None and Default are equivalent to Never.
public PivTouchPolicy TouchPolicy { get; set; }
Property Value
Methods
CreateCommandApdu()
Creates a well-formed CommandApdu to send to the YubiKey.
public CommandApdu CreateCommandApdu()
Returns
- CommandApdu
A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.
Remarks
This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.
CreateResponseForApdu(ResponseApdu)
Creates the corresponding IYubiKeyResponse implementation for the current command.
public SetManagementKeyResponse CreateResponseForApdu(ResponseApdu responseApdu)
Parameters
responseApdu
ResponseApduThe ResponseApdu returned by the YubiKey.
Returns
- SetManagementKeyResponse
The implementation of IYubiKeyResponse that parses and presents ths response APDU.