Decrypt Method
Decrypt(Byte, ReadOnlyMemory<Byte>)
Decrypt the given data using the key in the given slot.
public byte[] Decrypt(byte slotNumber, ReadOnlyMemory<byte> dataToDecrypt)Parameters
| Type | Name | Description |
|---|---|---|
| System.Byte | slotNumber | The slot containing the key to use. |
| System.ReadOnlyMemory<System.Byte> | dataToDecrypt | The ciphertext. |
Returns
The resulting decrypted block.
Exceptions
| Type | Condition |
|---|---|
| System.ArgumentException | The slot number given was not valid, or the data to decrypt was an invalid length. |
| System.InvalidOperationException | There was no key in the slot specified or the data did not match the key (e.g. the data to decrypt was 128 bytes long but the key was RSA 2048). |
| System.OperationCanceledException | Either the PIN was required and the user canceled collection or touch was required and the user did not touch within the timeout period. |
| System.Security.SecurityException | The remaining retries count indicates the PIN is blocked. |
Remarks
The YubiKey supports decryption only with RSA keys.
This method returns the raw decrypted data, if it can decrypt. It will not parse the formatted data. If it cannot decrypt for some reason, it will throw an exception.
If the slot specified is not one that can decrypt, or it does not contain a key, or it contains an ECC key (instead of RSA), this method will throw an exception. If the input data is not the correct length, the method will throw an exception.
If the key is RSA 1024, then the input must be exactly 128 bytes. If the key is RSA 2048, then the input must be exactly 256 bytes. If the input data is not the correct length, the method will throw an exception.
The return will be the raw decrypted data. You can use the RsaFormat class to parse the data and extract the actual unpadded plaintext. That class will be able to parse from either PKCS #1 v1.5 or a subset of PKCS #1 OAEP. However, if that class does not support the exact format you want, you will have to write your own parsing code.
Decrypting might require the PIN and/or touch, depending on the PIN and touch policies specified at the time the key was generated or imported.
If a PIN is required, this method will call the necessary routines to verify the PIN. See VerifyPin() for more information on PIN verification. If the user cancels, this method will throw an exception.
If touch is required, the YubiKey itself will flash its touch signal
and wait. If the YubiKey is not touched before the touch timeout, the
YubiKey will return with an error, and this method will throw an
exception (OperationCanceledException). Note that this method
will not make another effort to decrypt if the YubiKey is not
touched, it will simply throw the exception.
Note that on YubiKeys prior to version 5.3, it is not possible to know programmatically what the PIN or touch policies are without actually trying to decrypt. Also, it is not possible to know programmatically if an authentication failure is due to PIN or touch. This means that on older YubiKeys, this method will try to decrypt without the PIN, and if it does not work because of authentication failure, it will not know if the failure was due to PIN or touch. Hence, it will try to verify the PIN then try to sign again. This all means that on older YubiKeys, it is possible a YubiKey slot was originally configured with a PIN policy of "never" and a touch policy of "always", and this method will call for the PIN anyway. This happens if the user does not touch the YubiKey before the timeout. See the User's Manual entry on keeping track of slot contents.