Class PivSlot
The valid PIV slots.
public static class PivSlot
- Inheritance
-
objectPivSlot
Remarks
Each slot has a name and number. This class provides names to go along with the numbers.
For example, if you want to use the Authentication slot, specify it as
PivSlot.Authentication
. If you want to use slot 9A, specify
0x9A
. The Authentication slot and 9A are actually one and the
same, but some applications or standards documents might refer to it as
"Slot 9A" and others might refer to it as the "Authentication Slot".
See the User's Manual entry on PIV slots for more details on each of the possible slots.
Fields
Attestation
Slot F9, the cert and key can be used to attest keys 9A, 9C, 9D, and
9E, if they were generated on the device.
This is only available on YubiKey version 4.3 and later.
public const byte Attestation = 249
Field Value
- byte
Authentication
Slot 9A, the certificate and its associated private key are used to
authenticate
the card and the cardholder, usually for system login.
public const byte Authentication = 154
Field Value
- byte
CardAuthentication
Slot 9E, the certificate and its associated private key are used to
support additional
physical access applications, such as providing physical access
to buildings via
PIV-enabled door locks.
public const byte CardAuthentication = 158
Field Value
- byte
KeyManagement
Slot 9D, the certificate and its associated private key are are used
for encryption
for the purpose of confidentiality. It is generally used for
things such as
decrypting e-mails or encrypting/decrypting files.
Note that this is NOT the "Management Key" slot, which is a
separate property in this class.
public const byte KeyManagement = 157
Field Value
- byte
Management
Management Key slot, number 0x9B, before YubiKey 5.4.2, it can only
be a Triple-DES key. Beginning with 5.4.2 it can be Triple-DES or AES.
This is a valid slot only with the command
GetMetadataCommand.
There is no cert in this slot.
Note that this is NOT the KeyManagement
slot, which is a
separate property in this class.
public const byte Management = 155
Field Value
- byte
Pin
PIN slot, number 0x80.
This is a valid slot only with the command
GetMetadataCommand.
There is no cert in this slot.
public const byte Pin = 128
Field Value
- byte
Puk
PUK slot, number 0x81.
This is a valid slot only with the command
GetMetadataCommand.
There is no cert in this slot.
public const byte Puk = 129
Field Value
- byte
Retired1
Slot 82, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired1 = 130
Field Value
- byte
Retired10
Slot 8B, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired10 = 139
Field Value
- byte
Retired11
Slot 8C, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired11 = 140
Field Value
- byte
Retired12
Slot 8D, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired12 = 141
Field Value
- byte
Retired13
Slot 8E, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired13 = 142
Field Value
- byte
Retired14
Slot 8F, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired14 = 143
Field Value
- byte
Retired15
Slot 90, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired15 = 144
Field Value
- byte
Retired16
Slot 91, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired16 = 145
Field Value
- byte
Retired17
Slot 92, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired17 = 146
Field Value
- byte
Retired18
Slot 93, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired18 = 147
Field Value
- byte
Retired19
Slot 94, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired19 = 148
Field Value
- byte
Retired2
Slot 83, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired2 = 131
Field Value
- byte
Retired20
Slot 95, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired20 = 149
Field Value
- byte
Retired3
Slot 84, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired3 = 132
Field Value
- byte
Retired4
Slot 85, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired4 = 133
Field Value
- byte
Retired5
Slot 86, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired5 = 134
Field Value
- byte
Retired6
Slot 87, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired6 = 135
Field Value
- byte
Retired7
Slot 88, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired7 = 136
Field Value
- byte
Retired8
Slot 89, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired8 = 137
Field Value
- byte
Retired9
Slot 8A, the retired key slots are meant for previously used Key
Management keys to be
able to decrypt earlier encrypted documents or emails.
In the YubiKey all 20 of the retired slots are fully available
for use.
This is only available on YubiKey version 4 and later.
public const byte Retired9 = 138
Field Value
- byte
Signing
Slot 9C, the certificate and its associated private key are used for
creating
digital signatures, such as signing files and executables.
public const byte Signing = 156
Field Value
- byte
Methods
IsValidSlotNumber(byte)
Is the given number a valid slot number?
public static bool IsValidSlotNumber(byte slotNumber)
Parameters
slotNumber
byteThe number to check.
Returns
- bool
True if
slotNumber
is a valid PIV slot, or False otherwise.
Remarks
This verifies that a number given is a valid slot number. For example,
if the input is 0x9A
, it will return true
. If the input
is 0x01
or 0x77
, it will return false
.
See the User's Manual entry on PIV slots for more details on each of the possible slots.
IsValidSlotNumberForGenerate(byte)
Is the given number a valid slot number for generating asymmetric keys.
public static bool IsValidSlotNumberForGenerate(byte slotNumber)
Parameters
slotNumber
byteThe number to check.
Returns
- bool
True if
slotNumber
is a valid PIV asymmetric key slot that can generate a new key pair, or False otherwise.
Remarks
Note that if a slot is valid for generate, it is also valid for importing.
This verifies that a number given is not only a valid slot number,
but a valid slot number for a slot that can generate an asymmetric
key pair. For example, if the input is 0x9A
, it will return
true
. If the input is 0x80
or 0x9B
, it will
return false
. Even though 80
and 9B
are valid
slot numbers, they are for slots that cannot generate asymmetric keys.
Note that it is possible to generate a key pair in slot F9
(attestation key). However, that would make attestation no longer
possible, unless you obtain, for that key, a proper attestation
certificate that chains to a supported root.
See the User's Manual entry on PIV slots for more details on each of the possible slots.
IsValidSlotNumberForSigning(byte)
Is the given number a valid slot number for signing arbitrary data.
public static bool IsValidSlotNumberForSigning(byte slotNumber)
Parameters
slotNumber
byteThe number to check.
Returns
- bool
True if
slotNumber
is a valid PIV asymmetric key slot that can sign, or False otherwise.
Remarks
Note that if a slot is valid for signing, it is also valid for decrypting, key exchange, and obtaining an attestation statement as well.
This verifies that a number given is not only a valid slot number,
but a valid slot number for a slot that can perform signing. For
example, if the input is 0x9A
, it will return
true
. If the input is 0x80
, 0x9B
, or F9
,
it will return false
. Even though 80
and 9B
are valid
slot numbers, they are for slots that cannot sign. And even though
F9
holds an asymmetric key, and it will sign certificates it
creates for attestation, it cannot sign arbitrary data.
See the User's Manual entry on PIV slots for more details on each of the possible slots.