Table of Contents

Class PivSlot

Namespace
Yubico.YubiKey.Piv
Assembly
Yubico.YubiKey.dll

The valid PIV slots.

public static class PivSlot
Inheritance
object
PivSlot

Remarks

Each slot has a name and number. This class provides names to go along with the numbers.

For example, if you want to use the Authentication slot, specify it as PivSlot.Authentication. If you want to use slot 9A, specify 0x9A. The Authentication slot and 9A are actually one and the same, but some applications or standards documents might refer to it as "Slot 9A" and others might refer to it as the "Authentication Slot".

See the User's Manual entry on PIV slots for more details on each of the possible slots.

Fields

Attestation

Slot F9, the cert and key can be used to attest keys 9A, 9C, 9D, and 9E, if they were generated on the device.
This is only available on YubiKey version 4.3 and later.

public const byte Attestation = 249

Field Value

byte

Authentication

Slot 9A, the certificate and its associated private key are used to authenticate
the card and the cardholder, usually for system login.

public const byte Authentication = 154

Field Value

byte

CardAuthentication

Slot 9E, the certificate and its associated private key are used to support additional
physical access applications, such as providing physical access to buildings via
PIV-enabled door locks.

public const byte CardAuthentication = 158

Field Value

byte

KeyManagement

Slot 9D, the certificate and its associated private key are are used for encryption
for the purpose of confidentiality. It is generally used for things such as
decrypting e-mails or encrypting/decrypting files.
Note that this is NOT the "Management Key" slot, which is a separate property in this class.

public const byte KeyManagement = 157

Field Value

byte

Management

Management Key slot, number 0x9B, before YubiKey 5.4.2, it can only be a Triple-DES key. Beginning with 5.4.2 it can be Triple-DES or AES.
This is a valid slot only with the command GetMetadataCommand.
There is no cert in this slot.
Note that this is NOT the KeyManagement slot, which is a separate property in this class.

public const byte Management = 155

Field Value

byte

Pin

PIN slot, number 0x80.
This is a valid slot only with the command GetMetadataCommand.
There is no cert in this slot.

public const byte Pin = 128

Field Value

byte

Puk

PUK slot, number 0x81.
This is a valid slot only with the command GetMetadataCommand.
There is no cert in this slot.

public const byte Puk = 129

Field Value

byte

Retired1

Slot 82, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired1 = 130

Field Value

byte

Retired10

Slot 8B, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired10 = 139

Field Value

byte

Retired11

Slot 8C, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired11 = 140

Field Value

byte

Retired12

Slot 8D, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired12 = 141

Field Value

byte

Retired13

Slot 8E, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired13 = 142

Field Value

byte

Retired14

Slot 8F, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired14 = 143

Field Value

byte

Retired15

Slot 90, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired15 = 144

Field Value

byte

Retired16

Slot 91, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired16 = 145

Field Value

byte

Retired17

Slot 92, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired17 = 146

Field Value

byte

Retired18

Slot 93, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired18 = 147

Field Value

byte

Retired19

Slot 94, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired19 = 148

Field Value

byte

Retired2

Slot 83, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired2 = 131

Field Value

byte

Retired20

Slot 95, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired20 = 149

Field Value

byte

Retired3

Slot 84, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired3 = 132

Field Value

byte

Retired4

Slot 85, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired4 = 133

Field Value

byte

Retired5

Slot 86, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired5 = 134

Field Value

byte

Retired6

Slot 87, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired6 = 135

Field Value

byte

Retired7

Slot 88, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired7 = 136

Field Value

byte

Retired8

Slot 89, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired8 = 137

Field Value

byte

Retired9

Slot 8A, the retired key slots are meant for previously used Key Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available for use.
This is only available on YubiKey version 4 and later.

public const byte Retired9 = 138

Field Value

byte

Signing

Slot 9C, the certificate and its associated private key are used for creating
digital signatures, such as signing files and executables.

public const byte Signing = 156

Field Value

byte

Methods

IsValidSlotNumber(byte)

Is the given number a valid slot number?

public static bool IsValidSlotNumber(byte slotNumber)

Parameters

slotNumber byte

The number to check.

Returns

bool

True if slotNumber is a valid PIV slot, or False otherwise.

Remarks

This verifies that a number given is a valid slot number. For example, if the input is 0x9A, it will return true. If the input is 0x01 or 0x77, it will return false.

See the User's Manual entry on PIV slots for more details on each of the possible slots.

IsValidSlotNumberForGenerate(byte)

Is the given number a valid slot number for generating asymmetric keys.

public static bool IsValidSlotNumberForGenerate(byte slotNumber)

Parameters

slotNumber byte

The number to check.

Returns

bool

True if slotNumber is a valid PIV asymmetric key slot that can generate a new key pair, or False otherwise.

Remarks

Note that if a slot is valid for generate, it is also valid for importing.

This verifies that a number given is not only a valid slot number, but a valid slot number for a slot that can generate an asymmetric key pair. For example, if the input is 0x9A, it will return true. If the input is 0x80 or 0x9B, it will return false. Even though 80 and 9B are valid slot numbers, they are for slots that cannot generate asymmetric keys.

Note that it is possible to generate a key pair in slot F9 (attestation key). However, that would make attestation no longer possible, unless you obtain, for that key, a proper attestation certificate that chains to a supported root.

See the User's Manual entry on PIV slots for more details on each of the possible slots.

IsValidSlotNumberForSigning(byte)

Is the given number a valid slot number for signing arbitrary data.

public static bool IsValidSlotNumberForSigning(byte slotNumber)

Parameters

slotNumber byte

The number to check.

Returns

bool

True if slotNumber is a valid PIV asymmetric key slot that can sign, or False otherwise.

Remarks

Note that if a slot is valid for signing, it is also valid for decrypting, key exchange, and obtaining an attestation statement as well.

This verifies that a number given is not only a valid slot number, but a valid slot number for a slot that can perform signing. For example, if the input is 0x9A, it will return true. If the input is 0x80, 0x9B, or F9, it will return false. Even though 80 and 9B are valid slot numbers, they are for slots that cannot sign. And even though F9 holds an asymmetric key, and it will sign certificates it creates for attestation, it cannot sign arbitrary data.

See the User's Manual entry on PIV slots for more details on each of the possible slots.