PivSession Class
Namespace: Yubico.YubiKey.Piv Assembly: Yubico.YubiKey.dllCreate a session and perform PIV operations within that session.
public sealed class PivSession : ApplicationSessionRemarks
When you need to perform PIV operations, instantiate this class to create a session, then call on the methods in the class.
Generally you will choose the YubiKey to use by building an instance of IYubiKeyDevice. This object will represent the actual hardware.
IYubiKeyDevice SelectYubiKey()
{
IEnumerable<IYubiKeyDevice> yubiKeyList = YubiKey.FindAll();
foreach (IYubiKeyDevice current in yubiKeyList)
{
/* determine which YubiKey to use */
if(selected)
{
return current;
}
}
}
Once you have the YubiKey to use, you will build an instance of this
PivSession class to represent the PIV application on the hardware.
Because this class implements IDisposable, use the using
keyword. For example,
IYubiKeyDevice yubiKeyToUse = SelectYubiKey();
using (var piv = new PivSession(yubiKeyToUse))
{
/* Perform PIV operations. */
}
If this class is used as part of a using expression, when the
session goes out of scope, the Dispose method will be called to
dispose the active PIV session, clearing any authenticated state, and
ultimately releasing the connection to the YubiKey.
Note that while a session is open, any management key authentication and PIN verification will be active. That is, you need to authenticate the management key or verify the PIN only once per session. Touch might be needed more than once.
There are some exceptions to the "verify the PIN once per session" rule. For example, to change a PIN, you need to enter the current and new PIN, even if the current PIN has been verified. The documentation for each method in this class will indicate if the PIN is needed, and if so, must it be verified or entered. See also the User's Manual entries on the PIV PIN, PUK, and Management Key and PIV commands access control.
Note that PIN/PUK/Management Key verification or authentication will
happen automatically when you call a method that needs it. You can
call the TryVerifyPin or TryAuthenticateManagementKey
methods if you want, but any method that can be executed only if the PIN
and/or management key has been verified or authenticated will determine
if the appropriate values have been verified/authenticated, and if not,
will make the appropriate calls to do so. The caller must supply a
PIN/PUK/management key collector delegate (callback).
This class needs a delegate (callback): a method to enter the PIN, PUK, or management key. Although some operations will not need this delegate, any useful application will almost certainly call one or more methods that do need it. You will need to set the appropriate property after instantiating this class.
using (var pivSession = new PivSession(yubiKeyToUse))
{
KeyCollector = SomeCollectorDelegate;
};
You supply the delegate as the KeyCollector property. See also the
User's Manual entry on
delegates in the SDK.
Note that the YubiKey is manufactured with default PIN, PUK, and management key values. This is a requirement of the PIV standard.
management key (hex): 01 02 03 04 05 06 07 08
01 02 03 04 05 06 07 08
01 02 03 04 05 06 07 08<pre><code class="lang-csharp">PIN (hex): 31 32 33 34 35 36
as an ASCII string, this would be "123456"</code></pre>
<pre><code class="lang-csharp">PUK (hex): 31 32 33 34 35 36 37 38
as an ASCII string, this would be "12345678"</code></pre>
The PIN, PUK, and management key are supplied as byte arrays. The reason is that they can be binary data (they are not necessarily strings, ASCII or otherwise), and a byte array can be overwritten to limit the contents' exposure. See the User's Manual entries on sensitive data.
This class will also need a random number generator and Triple-DES and AES encryptors/decryptors. It will get them from CryptographyProviders. That class will return default implementations, unless you replace them. Very few applications will choose to replace the defaults, but if you want to, see the documentation for that class and the User's Manual entry on alternate crypto implementations to learn how to do so.
Constructors
| Name | Description |
|---|---|
| PivSession(IYubiKeyDevice, ScpKeyParameters?) | Create an instance of |
| PivSession(IYubiKeyDevice, StaticKeys) |
Properties
| Name | Description |
|---|---|
| KeyCollector | The Delegate this class will call when it needs a PIN, PUK, or management key. |
| ManagementKeyAlgorithm | This specifies the algorithm of the management key. |
| ManagementKeyAuthenticated | This indicates whether the management key is authenticated or not. |
| ManagementKeyAuthenticationResult | This reports the result of the latest management key authentication attempt. |
| PinVerified | This indicates the current state of the PIN verification. |
Methods
| Name | Description |
|---|---|
| AuthenticateManagementKey(bool) | Authenticate the management key, throw an exception if the user cancels. |
| ChangeManagementKey(PivTouchPolicy) | Change the management key, throw an exception if the user cancels. The default management key algorithm will be used. (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.) |
| ChangeManagementKey(PivTouchPolicy, PivAlgorithm) | Change the management key, throw an exception if the user cancels. The new key will be of the specified algorithm. |
| ChangePin() | Change the PIN, throw an exception if the user cancels. |
| ChangePinAndPukRetryCounts(byte, byte) | Change the retry counts for the PIN and PUK. WarningThis will reset the PIN and PUK to their default values as well as set the retry counts. |
| ChangePuk() | Change the PUK (PIN Unblocking Key), throw an exception if the user cancels. |
| CreateAttestationStatement(byte) | Create an attestation statement for the private key in the given slot. NoteIn version 1.0.0 of the SDK, it was not possible to get an attestation statement for keys in slots 82 - 95 (retired key slots). However, beginning with SDK 1.0.1, it is possible to get attestation statements for keys in those slots. |
| Decrypt(byte, ReadOnlyMemory<byte>) | Decrypt the given data using the key in the given slot. |
| DeleteKey(byte) | Deletes/clears any key at a given PivSlot. |
| DeleteMsroots() | Delete any contents stored in the MSROOTS data objects. |
| Dispose(bool) | |
| GenerateKeyPair(byte, KeyType, PivPinPolicy, PivTouchPolicy) | Generate a new key pair in the given slot. |
| GenerateKeyPair(byte, PivAlgorithm, PivPinPolicy, PivTouchPolicy) | |
| GetAttestationCertificate() | Get the attestation certificate. |
| GetBioMetadata() | Get information about YubiKey Bio multi-protocol. |
| GetCertificate(byte) | Get the certificate in the given slot. |
| GetMetadata(byte) | Get information about the specified slot. |
| GetPinOnlyMode() | Return an enum indicating the PIN-only mode, if any, for which the YubiKey PIV application is configured. |
| ImportCertificate(byte, X509Certificate2) | Import a certificate into the given slot. |
| ImportPrivateKey(byte, IPrivateKey, PivPinPolicy, PivTouchPolicy) | Import a private key into the given slot. |
| ImportPrivateKey(byte, PivPrivateKey, PivPinPolicy, PivTouchPolicy) | Import a private key into the given slot. |
| KeyAgree(byte, IPublicKey) | Perform Phase 2 of EC Diffie-Hellman Key Agreement using the private key in the given slot, and the corresponding party's public key. |
| KeyAgree(byte, PivPublicKey) | |
| MoveKey(byte, byte) | Moves a key from one slot to another. The source slot must not be the Attestation-slot and the destination slot must be empty. Any key except the attestation key can be moved from one slot to another. |
| ReadMsroots() | Returns the |
| ReadMsrootsStream() | Returns the contents of the MSROOTS data objects as a |
| ReadObject<T>() | Read the data at the storage location specified by the defined data
tag for the PivDataObject |
| ReadObject<T>(int) | Read the data at the storage location specified by the given
|
| ReplaceAttestationKeyAndCertificate(IPrivateKey, X509Certificate2) | Replace the attestation key and certificate. |
| ReplaceAttestationKeyAndCertificate(PivPrivateKey, X509Certificate2) | |
| ResetApplication() | Reset the PIV application to the default state. |
| ResetPin() | Reset the PIN, using the PUK (PIN Unblocking Key), throw an exception if the user cancels. |
| SetPinOnlyMode(PivPinOnlyMode) | Set the YubiKey's PIV application to be PIN-only with a PIN-derived and/or PIN-Protected management key. The default management key algorithm will be used (AES-192 for YubiKeys with firmware 5.7.x and later, TDES for keys with firmware 5.6.x and earlier). This sets the YubiKey to either If the YubiKey is set to PinProtected, PinDerived, or both, the PUK will also be blocked. WarningYou should not set a YubiKey for PIN-derived, this feature is provided only for backwards compatibility. |
| SetPinOnlyMode(PivPinOnlyMode, PivAlgorithm) | Set the YubiKey's PIV application to be PIN-only with a PIN-derived and/or PIN-Protected management key of the specified algorithm. This sets the YubiKey to either If the YubiKey is set to PinProtected, PinDerived, or both, the PUK will also be blocked. WarningYou should not set a YubiKey for PIN-derived, this feature is provided only for backwards compatibility. |
| Sign(byte, ReadOnlyMemory<byte>) | Create a digital signature using the key in the given slot. |
| TryAuthenticateManagementKey(bool) | Try to authenticate the management key. |
| TryAuthenticateManagementKey(ReadOnlyMemory<byte>, bool) | Try to authenticate the management key. This method will use the key
data provided, rather than the |
| TryChangeManagementKey(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, PivTouchPolicy) | Try to change the management key. This method will use the
|
| TryChangeManagementKey(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, PivTouchPolicy, PivAlgorithm) | Try to change the management key. This method will use the
|
| TryChangeManagementKey(PivTouchPolicy) | Try to change the management key. The default management key algorithm will be used. (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.) |
| TryChangeManagementKey(PivTouchPolicy, PivAlgorithm) | Try to change the management key. The new key will be the specified algorithm. |
| TryChangePin() | Try to change the PIN. |
| TryChangePin(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, out int?) | Try to change the PIN. This method will use the |
| TryChangePinAndPukRetryCounts(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, byte, byte, out int?) | Try to change the retry counts for both the PIN and PUK. This method
will use the WarningThis will reset the PIN and PUK to their default values as well as set the retry counts. |
| TryChangePuk() | Try to change the PUK (PIN Unblocking Key). |
| TryChangePuk(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, out int?) | Try to change the PUK. This method will use the |
| TryReadObject<T>(int, out T) | Try to read the data at the storage location specified by the defined
data tag for the PivDataObject |
| TryReadObject<T>(out T) | Try to read the data at the storage location specified by the defined
data tag for the PivDataObject |
| TryRecoverPinOnlyMode() | Try to recover the PIN-only state. If successful, this will authenticate the management key and reset the ADMIN DATA and or PRINTED storage locations. WarningThis can overwrite the contents of ADMIN DATA and/or PRINTED. If some other application relies on that data it will be lost. |
| TryResetPin() | Try to reset the PIN, using the PUK (PIN Unblocking Key). |
| TryResetPin(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, out int?) | Try to reset the PIN using the PUK (PIN Unblocking Key). This method
will use the |
| TryVerifyPin() | Try to verify the PIN. If the user cancels, return |
| TryVerifyPin(ReadOnlyMemory<byte>, out int?) | Try to verify the PIN. This method will use the PIN provided, rather
than the |
| VerifyPin() | Verify the PIN, throw an exception if the user cancels. |
| WriteMsroots(ReadOnlySpan<byte>) | Write |
| WriteMsrootsStream(Stream) | Write |
| WriteObject(PivDataObject) | Write the contents of the given object to the storage location specified by the DataTag property. |