Class SecurityDomainSession
Create a session for managing the Secure Channel Protocol (SCP) configuration of a YubiKey.
public sealed class SecurityDomainSession : ApplicationSession
- Inheritance
-
objectSecurityDomainSession
- Inherited Members
Remarks
See the User's Manual entry on SCP.
The Security Domain session provides secure communication and key management capabilities through both SCP03 (symmetric) and SCP11 (asymmetric) protocols. This session can be used in two ways:
-
For direct SCP management:
- Managing SCP03 symmetric key sets (ENC, MAC, DEK)
- Managing SCP11 asymmetric keys (EC public/private key pairs)
- Configuring secure messaging parameters
-
Example:
using (var scp = new SecurityDomainSession(yubiKeyDevice, scpKeyParameters)) { // Manage SCP configuration }
-
As a background security layer:
- Secures communication (encrypted channel) with other applications (e.g., PIV, OTP, OATH, YubiHSM)
- Provides authenticity and confidentiality (encrypted channel) for remote operations
-
Example:
using (var pivSession = new PivSession(yubiKeyDevice, scpKeyParameters)) { // Perform PIV operations with secure messaging }
The session supports various key management operations:
- Loading and replacing SCP03 key sets
- Storing EC private keys (NIST P-256)
- Storing EC public keys (NIST P-256)
- Managing key certificates and metadata
- Deleting keys and resetting configurations
The constructor will throw an exception if:
- The YubiKey does not support SCP
- The provided key parameters are incorrect
Constructors
SecurityDomainSession(IYubiKeyDevice)
Create an unauthenticated instance of SecurityDomainSession, the object that manages the security domain on the YubiKey.
public SecurityDomainSession(IYubiKeyDevice yubiKey)
Parameters
yubiKey
IYubiKeyDeviceThe object that represents the actual YubiKey which will perform the operations.
Remarks
Sessions created from this constructor will not be able to perform operations which require authentication
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
Exceptions
- ArgumentNullException
The
yubiKey
argument is null.
SecurityDomainSession(IYubiKeyDevice, ScpKeyParameters)
Create an instance of SecurityDomainSession, the object that manages the security domain on the YubiKey.
public SecurityDomainSession(IYubiKeyDevice yubiKey, ScpKeyParameters scpKeyParameters)
Parameters
yubiKey
IYubiKeyDeviceThe object that represents the actual YubiKey which will perform the operations.
scpKeyParameters
ScpKeyParametersThe shared secret keys that will be used to authenticate the caller and encrypt the communications.
Remarks
See the User's Manual entry on SCP.
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information on SCP.
Because this class implements IDisposable
, use the using
keyword. For example,
if (YubiKeyDevice.TryGetYubiKey(serialNumber, out IYubiKeyDevice yubiKeyDevice))
{
using (var scp = new SecurityDomainSession(yubiKeyDevice, Scp03KeyParameters.DefaultKey))
{
// Perform SCP operations while authenticated with SCP03
}
}
Exceptions
- ArgumentNullException
The
yubiKey
orscpKeys
argument is null.
Methods
ClearAllowList(KeyReference)
Clears the allow list for the given KeyReference
public void ClearAllowList(KeyReference keyReference)
Parameters
keyReference
KeyReferenceThe key reference that holds the allow list
- See Also
DeleteKey(KeyReference, bool)
Delete one (or more) keys matching the specified criteria.
public void DeleteKey(KeyReference keyReference, bool deleteLast = false)
Parameters
keyReference
KeyReferenceA reference to the key(s) to delete.
deleteLast
boolMust be true if deleting the final key, false otherwise.
Remarks
All keys matching the given KID (Key ID) and/or KVN (Key Version Number) will be deleted, where 0 is treated as a wildcard. For SCP03 keys, they can only be deleted by KVN.
Exceptions
- ArgumentException
Thrown when both KID and KVN are 0, or when attempting to delete SCP03 keys by KID.
- SecureChannelException
Thrown when the delete operation fails.
GenerateEcKey(KeyReference, byte)
Generate a new EC key pair for the given key reference.
public ECPublicKey GenerateEcKey(KeyReference keyReference, byte replaceKvn)
Parameters
keyReference
KeyReferenceThe KID-KVN pair of the key that should be generated.
replaceKvn
byteThe key version number of the key set that should be replaced, or 0 to generate a new key pair.
Returns
- ECPublicKey
The parameters of the generated key, including the curve and the public point.
Remarks
GlobalPlatform has no command to generate key pairs on the card itself. This is a Yubico extension that tries to mimic the format of the GPC PUT KEY command.
Exceptions
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
GetCardRecognitionData()
Retrieves the card recognition data from the YubiKey device.
public ReadOnlyMemory<byte> GetCardRecognitionData()
Returns
- ReadOnlyMemory<byte>
The card recognition data as a byte array.
Remarks
The card recognition data is a TLV (Tag-Length-Value) encoded structure that contains information about the card. See GlobalPlatform Technology Card Specification v2.3.1 §H.2 Structure of Card Recognition Data for more information.
GetCertificates(KeyReference)
Retrieves the certificates associated with the given keyReference
.
public IReadOnlyList<X509Certificate2> GetCertificates(KeyReference keyReference)
Parameters
keyReference
KeyReferenceThe key reference for which the certificates should be retrieved.
Returns
- IReadOnlyList<X509Certificate2>
A list of X.509 certificates associated with the key reference. The leaf certificate is the last certificate in the list
Exceptions
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
GetData(int, ReadOnlyMemory<byte>?)
Gets data from the YubiKey associated with the given tag.
public ReadOnlyMemory<byte> GetData(int tag, ReadOnlyMemory<byte>? data = null)
Parameters
tag
intThe tag of the data to retrieve.
data
ReadOnlyMemory<byte>?Optional data to send with the command.
Returns
- ReadOnlyMemory<byte>
The encoded tlv data retrieved from the YubiKey.
Remarks
Sessions created from this constructor will not be able to perform operations which require authentication
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
Exceptions
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
GetKeyInformation()
Retrieves the key information stored in the YubiKey and returns it in a dictionary format.
public IReadOnlyDictionary<KeyReference, Dictionary<byte, byte>> GetKeyInformation()
Returns
- IReadOnlyDictionary<KeyReference, Dictionary<byte, byte>>
A read only dictionary containing the KeyReference as the key and a dictionary of key components as the value.
Exceptions
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
GetSupportedCaIdentifiers(bool, bool)
Gets the supported CA identifiers for KLOC and/or KLCC.
public IReadOnlyDictionary<KeyReference, ReadOnlyMemory<byte>> GetSupportedCaIdentifiers(bool kloc, bool klcc)
Parameters
kloc
boolWhether to retrieve Key Loading OCE Certificate (KLOC) identifiers.
klcc
boolWhether to retrieve Key Loading Card Certificate (KLCC) identifiers.
Returns
- IReadOnlyDictionary<KeyReference, ReadOnlyMemory<byte>>
A dictionary of KeyReference and byte arrays representing the CA identifiers.
Exceptions
- ArgumentException
Thrown when both kloc and klcc are false.
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
PutKey(KeyReference, ECPrivateKey, int)
Puts an EC private key onto the YubiKey using the Security Domain.
public void PutKey(KeyReference keyReference, ECPrivateKey privateKeyParameters, int replaceKvn = 0)
Parameters
keyReference
KeyReferenceThe key reference identifying where to store the key.
privateKeyParameters
ECPrivateKeyThe EC private key parameters to store.
replaceKvn
intThe key version number to replace, or 0 for a new key (Default value is 0).
Exceptions
- ArgumentException
Thrown when the private key is not of type NIST P-256.
- InvalidOperationException
Thrown when no secure session is established.
- SecureChannelException
Thrown when the new key set's checksum failed to verify, or some other SCP related error described in the exception message.
PutKey(KeyReference, ECPublicKey, int)
Puts an EC public key onto the YubiKey using the Security Domain.
public void PutKey(KeyReference keyReference, ECPublicKey publicKey, int replaceKvn = 0)
Parameters
keyReference
KeyReferenceThe key reference identifying where to store the key.
publicKey
ECPublicKeyThe EC public key parameters to store.
replaceKvn
intThe key version number to replace, or 0 for a new key (Default value is 0).
Exceptions
- ArgumentException
Thrown when the public key is not of type SECP256R1.
- InvalidOperationException
Thrown when no secure session is established.
- SecureChannelException
Thrown when the new key set's checksum failed to verify, or some other SCP related error described in the exception message.
PutKey(KeyReference, StaticKeys, int)
Puts an SCP03 key set onto the YubiKey using the Security Domain.
public void PutKey(KeyReference keyReference, StaticKeys staticKeys, int replaceKvn = 0)
Parameters
keyReference
KeyReferenceThe key reference identifying where to store the key.
staticKeys
StaticKeysThe new SCP03 key set to store.
replaceKvn
intThe key version number to replace, or 0 for a new key (Default value is 0).
Exceptions
- ArgumentException
Thrown when the KID is not 0x01 for SCP03 key sets.
- SecureChannelException
Thrown when the new key set's checksum failed to verify, or some other SCP related error described in the exception message.
Reset()
Perform a factory reset of the Security Domain. This will remove all keys and associated data, as well as restore the default SCP03 static keys, and generate a new (attestable) SCP11b key.
public void Reset()
StoreAllowlist(KeyReference, IReadOnlyCollection<string>)
Stores an allowlist of certificate serial numbers for a specified key reference using the GlobalPlatform STORE DATA command.
public void StoreAllowlist(KeyReference keyReference, IReadOnlyCollection<string> serials)
Parameters
keyReference
KeyReferenceA reference to the key for which the allowlist will be stored.
serials
IReadOnlyCollection<string>The list of certificate serial numbers (in hexadecimal string format) to be stored in the allowlist for the given KeyReference.
Remarks
This method requires off-card entity verification. If an allowlist is not stored, any certificate signed by the CA can be used.
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
Exceptions
- ArgumentException
Thrown when a serial number cannot be encoded properly.
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
StoreCaIssuer(KeyReference, ReadOnlyMemory<byte>)
Store the SKI (Subject Key Identifier) for the CA of a given key. Requires off-card entity verification.
public void StoreCaIssuer(KeyReference keyReference, ReadOnlyMemory<byte> ski)
Parameters
keyReference
KeyReferenceA reference to the key for which to store the CA issuer.
ski
ReadOnlyMemory<byte>The Subject Key Identifier to store.
StoreCertificates(KeyReference, IReadOnlyList<X509Certificate2>)
Store a list of certificates associated with the given key reference using the GlobalPlatform STORE DATA command.
public void StoreCertificates(KeyReference keyReference, IReadOnlyList<X509Certificate2> certificates)
Parameters
keyReference
KeyReferenceThe key reference associated with the certificates.
certificates
IReadOnlyList<X509Certificate2>The certificates to store.
Remarks
The certificates will be stored in the order they are provided in the list.
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
Exceptions
- ArgumentException
Thrown when certificatedata
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.
StoreData(ReadOnlyMemory<byte>)
Stores data in the Security Domain or targeted Application on the YubiKey using the GlobalPlatform STORE DATA command.
public void StoreData(ReadOnlyMemory<byte> data)
Parameters
data
ReadOnlyMemory<byte>The data to be stored, which must be formatted as BER-TLV structures according to ISO 8825.
Remarks
The STORE DATA command is used to transfer data to either the Security Domain itself or to an Application being personalized. The data must be formatted as BER-TLV structures according to ISO 8825.
This implementation: - Uses a single block transfer (P1.b8=1 indicating last block) - Requires BER-TLV formatted data (P1.b5-b4=10) - Does not provide encryption information (P1.b7-b6=00)
See GlobalPlatform Technology Card Specification v2.3.1 §11 APDU Command Reference for more information.
The SecurityDomainSession makes use of this method to store data in the Security Domain. Such as the StoreCaIssuer(KeyReference, ReadOnlyMemory<byte>), StoreCertificates(KeyReference, IReadOnlyList<X509Certificate2>), StoreAllowlist(KeyReference, IReadOnlyCollection<string>), and other data.Exceptions
- InvalidOperationException
Thrown when no secure connection is available or the security context is invalid.
- SecureChannelException
Thrown when there was an SCP error, described in the exception message.