### Get Template Example (Command Line) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of fetching the public key for a specific asymmetric key ID. ```bash $ yubihsm-shell -a get-template -i 0x7b19 --out template.dat ``` -------------------------------- ### Example: Get Storage Info for Session 0 Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Shows an example of retrieving storage information for session ID 0, displaying the free records, pages, and page size. ```bash yubihsm> get storage 0 free records: 255/256, free pages: 1023/1024 page size: 126 bytes ``` -------------------------------- ### Run YubiKey Manager Installer Source: https://docs.yubico.com/software/yubikey/tools/ykman/Using_the_ykman_GUI.html Execute the YubiKey Manager installer. The example shows a silent installation with a custom installation path specified using the /D option. ```bash C:\Users\\Downloads >.\yubikey-manager-qt-1.2.6-win32.exe /D "C:\Program Files\Yubico\YubiKey Manager ``` -------------------------------- ### Get Device Info Command Example Output (Interactive) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example output from the 'get deviceinfo' command in interactive mode, showing version, serial, log usage, and supported algorithms. ```bash Version number: 2.0.0 Serial number: 2000000 Log used: 2/62 Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384, rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256, rsa-pss-sha384, rsa-pss-sha512, rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, ecdsa-sha1, ecdh, rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512, aes128-ccm-wrap, opaque-data, opaque-x509-certificate, mgf1-sha1, mgf1-sha256, mgf1-sha384, mgf1-sha512, template-ssh, aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp, aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap, ecdsa-sha256, ecdsa-sha384, ecdsa-sha512, ed25519, ecp224 ``` -------------------------------- ### Execute Bash Script for YubiHSM 2 Setup Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-java-code-signing.rst.txt This example demonstrates how to execute the Bash script for setting up YubiHSM 2, specifying parameters for key ID, key name, domain, algorithm, authentication, certificates, and configuration file. ```bash $ ./YubiHSM_PKCS11_Setup.sh -k 0x0002 -n MyKey -d 1 -a rsa2048 -i 0x0001 -p password -c ./TestCACert.pem -s ./TestCAKey.pem -f ./sun_yubihsm2_pkcs11.conf ``` -------------------------------- ### Executing a Version Command Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Commands.VersionCommand.html Example of how to connect to the YubiKey, create and send a VersionCommand, and process the response to get the firmware version. ```csharp IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv); VersionCommand versionCmd = new VersionCommand(); VersionResponse versionRsp = connection.SendCommand(versionCmd); if (versionNum.Status == ResponseStatus.Success) { FirmwareVersion versionNum = versionRsp.GetData(); } ``` -------------------------------- ### Example: Get Force Audit Option Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Demonstrates retrieving the 'force-audit' option from the device and displaying its value. ```bash yubihsm> get option 0 force-audit 2Option value is: 00 ``` -------------------------------- ### PIV Tool Usage Example Source: https://docs.yubico.com/software/yubikey/tools/pivtool/Introduction.html This is an example of using the piv-tool for PIV operations. Ensure the tool is installed and accessible in your PATH. ```bash piv-tool --list-keys ``` -------------------------------- ### Executing a PIV Get Version Command Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/commands.html Example of creating a VersionCommand and sending it via the connection to get the YubiKey's firmware version. This demonstrates the basic command execution pattern. ```csharp VersionCommand versionCommand = new VersionCommand(); VersionResponse versionResponse = connection.SendCommand(versionCommand); ``` -------------------------------- ### Execute PowerShell Script for YubiHSM 2 Setup Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-java-code-signing.rst.txt This example demonstrates how to execute the PowerShell script 'YubiHSM_PKCS11_Setup.ps1' with a specific KeyID. All other parameters will use their default values. ```powershell $ .\YubiHSM_PKCS11_Setup.ps1 -KeyID 0x0003 ``` -------------------------------- ### Select PIV Application and Generate Attestation Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/attest.html This example demonstrates the sequence of APDU commands to select the PIV application and then initiate the attestation statement generation. Multiple GET RESPONSE commands are used to retrieve the full certificate data, as it can be larger than a single APDU response. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f9:9c:00 -s 00:c0:00:00 -s 00:c0:00:00 -s 00:c0:00:00 ``` ```text Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 ``` ```text Sending: 00 F9 9C 00 Received (SW1=0x90, SW2=0x00): 30 82 03 20 30 82 02 08 A0 03 02 01 02 02 10 01 48 79 0D CE 69 34 3C BD 08 C3 CB 14 EC B9 50 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 21 31 1F 30 1D 06 03 55 04 03 0C 16 59 75 62 69 63 6F 20 50 49 56 20 41 74 74 65 73 74 61 74 69 6F 6E 30 20 17 0D 31 36 30 33 31 34 30 30 30 30 30 30 5A 18 0F 32 30 35 32 30 34 31 37 30 30 30 30 30 5A 30 25 31 23 30 21 06 03 55 04 03 0C 1A 59 75 62 69 4B 65 79 20 50 49 56 20 41 74 74 65 73 74 61 74 69 6F 6E 20 39 63 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 CE D2 15 EF 4E B8 57 BE 7E 7A 33 5C 6E 3A 51 C8 51 52 82 4F CE EA E1 DA B4 0D 7C 55 8D 4A 90 3A 5E 4B 88 2C 4D EB 4C 48 5D 4D E7 18 F3 48 1B 22 4A 33 AF 93 08 5C 97 1C 01 1A 8F 76 5F 6E 96 E9 48 CA 8C 91 3C ``` ```text Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): 3A 2B 84 C0 0B 64 8B 4B 74 48 BC 8E 8A 94 E7 92 DB 2D 6C FF 5D 75 BF 16 A3 13 F3 55 5C F2 B4 31 34 02 0A 32 DE 5F 37 C4 21 F7 71 0B 01 31 D8 8B 75 3D A2 44 FD C5 DE 26 6C C4 9E 58 36 60 20 C5 0B 57 F9 9C B3 9A 7E F8 D6 87 21 CE A7 17 69 46 40 96 4B F4 21 DE 3F FC 02 D8 49 04 07 94 64 A7 2A 92 57 52 C7 BC D8 F8 56 D9 30 7F 4E 5C 52 9D FD 55 A7 51 BB 8F B0 D0 CD CE 99 8B AD EB 62 E3 40 79 1D 72 BA 58 8C F7 F9 DB CE 1C BD D9 13 30 0A 59 66 97 15 4B 7F 59 25 82 DC 7E 91 FD 22 23 43 F0 B7 73 0F C3 00 65 14 82 A0 B2 E5 56 CD 7A F7 74 4B 41 70 D1 1C CD 0B AD 19 02 03 01 00 01 A3 4E 30 4C 30 11 06 0A 2B 06 01 04 01 82 C4 0A 03 03 04 03 05 02 04 30 14 06 0A 2B 06 01 04 01 82 C4 0A 03 07 04 06 02 04 00 AE 17 FB 30 10 06 0A 2B 06 01 04 01 82 C4 0A 03 08 04 02 03 01 30 ``` ```text Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): 0F 06 0A 2B 06 01 04 01 82 C4 0A 03 09 04 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 3F F9 48 2D 26 DB 57 D6 86 76 00 81 0C CB 65 FF D0 5E 31 97 82 F0 97 9F EA 3D D4 0D 14 24 37 92 5D E6 B2 A7 5D 71 73 5B D4 87 40 8D 0A E4 A4 A5 F9 D4 56 D7 98 FE B8 47 9A 52 CD 21 BC A7 6D 09 97 71 DC CF D0 D0 0D 9A 2B 32 13 2A 50 49 92 EC 14 7C 68 C4 97 C4 E1 E5 41 C3 38 CC 6D 85 0C FD BD C2 28 4D 53 B0 E2 45 7A 14 B5 1D 62 80 F4 FE 0C 87 50 F0 47 38 33 1C 39 EA 40 DF 1B 94 E7 FC 87 06 CA A3 D7 35 A6 4A 14 FC B0 88 8E E1 13 EB 06 97 AE 1F 4F 8E B7 DE 93 30 55 02 02 CB 22 DE 5F DE 3B 12 83 03 93 FE 33 E4 11 C4 B5 EC AE D6 57 9A 13 5A 15 F8 4F 75 55 72 F6 E9 29 E1 CA 9B A6 22 FC 0E E0 54 A4 F2 DD 23 80 CC 04 F1 E0 DC 28 72 02 7F 6C 14 E1 E1 69 13 4C 3A ``` ```text Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): F5 F8 57 04 B9 4C 6B CD D8 9C D1 65 1C 20 E9 0C B7 7B DA E4 0E 55 FE B5 5A 11 61 D5 A8 BF 72 36 ED 40 21 47 ``` -------------------------------- ### Whitelisted GUID Example Source: https://docs.yubico.com/software/yubikey/tools/minidriver/_sources/md_auto_install.rst.txt The specific GUID value, including brackets, to be whitelisted for non-administrator driver installation. ```text {990A2BD7-E738-46c7-B26F-1CF8FB9F1391} ``` -------------------------------- ### Open Session (Example) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Creates a new session with Authentication Key 1 using a specified password. This example demonstrates the combined session creation and authentication process. ```shell yubihsm> session open 1 password Created session 0 ``` -------------------------------- ### Example Key and Certificate Imports Source: https://docs.yubico.com/software/yubikey/tools/pivtool/_sources/piv-tool-command.rst.txt Demonstrates importing a PKCS12 key and certificate into slot 9c, and a GZIP-compressed certificate into slot 9c. The tool will prompt for passwords and management keys as needed. ```bash $ yubico-piv-tool -a import-key -a import-certificate -s 9c -k -i key.pfx -K PKCS12 Enter Password: Enter management key: Successfully imported a new private key. Successfully imported a new certificate. ``` ```bash $ yubico-piv-tool -a import-certificate -s 9c -k -i cert_large.gz -K GZIP Successfully imported a new certificate. ``` -------------------------------- ### Get Protocol Version APDU Data Example Source: https://docs.yubico.com/yesdk/users-manual/application-u2f/apdu/get-protocol-version.html This example shows the hexadecimal representation of the data bytes returned by the Get Protocol Version APDU command, corresponding to the ASCII string 'U2F_V2'. ```plaintext 0x55 32 46 5F 56 32 ``` -------------------------------- ### Import Key and Certificate Example Source: https://docs.yubico.com/software/yubikey/tools/pivtool/piv-tool-command.html This example demonstrates importing a PKCS12 file containing both a key and a certificate into slot 9c. It prompts for the password and management key. ```bash $ yubico-piv-tool -a import-key -a import-certificate -s 9c -k -i key.pfx -K PKCS12 Enter Password: Enter management key: Successfully imported a new private key. Successfully imported a new certificate. ``` -------------------------------- ### Import Wrapped Example (Command Line) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of importing an object from a file using a specific wrap key via the command line. ```bash $ yubihsm-shell -a put-wrapped --wrap-id 0xcf94 --in key.enc ``` -------------------------------- ### Interactive GET OPTION Example Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Example of retrieving the 'force-audit' option value in interactive mode. ```shell yubihsm> get option 0 force-audit 2Option value is: 00 ``` -------------------------------- ### Open Channel and Install Key Set Source: https://docs.yubico.com/hardware/yubikey/yk-tech-manual/_sources/yk5-scp-specifics.rst.txt Opens a channel with the security domain and installs a new key set using gp.jar. ```Bash $ java -jar tool/target/gp.jar --mode mac --mode enc --mode rmac --mode renc --debug --lock 000102030405060708090a0b0c0d0e0f ``` -------------------------------- ### Command Line GET OPTION Example Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Example of retrieving the 'force-audit' option value using the command-line interface. ```shell $ yubihsm-shell -a get-option --opt-name force-audit Option value is: 00 ``` -------------------------------- ### Open Asymmetric Session Example Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Example of creating a new authenticated session using Authentication Key 100 and a private key file named 'priv.key'. This command performs both session creation and authentication. ```bash yubihsm> session open_asym 100 priv.key Created session 0 ``` -------------------------------- ### Get Device Info Output Example Source: https://docs.yubico.com/yesdk/users-manual/application-u2f/u2f-commands.html Example byte array output for device information, including a breakdown of TLV elements. ```plaintext 2e 01 02 02 3f 03 02 02 3f 02 04 00 b5 fe 55 04 01 01 05 03 05 04 02 06 02 00 00 07 01 0f 08 01 00 0d 02 02 3f 0e 02 02 3f 0a 01 00 0f 01 00 2e 01 02 02 3f 03 02 02 3f 02 04 00 b5 fe 55 04 01 01 05 03 05 04 02 06 02 00 00 07 01 0f 08 01 00 0d 02 02 3f 0e 02 02 3f 0a 01 00 0f 01 00 __ ``` -------------------------------- ### Get Log Entries Example (Interactive) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Example output of fetching audit log entries in interactive mode, showing details of found items. ```text 0 unlogged boots found 0 unlogged authentications found Found 6 items item: 46 -- cmd: 0x4b -- length: 234 -- session key: 0x0001 -- target key: 0xcf94 -- second key: 0x997e -- result: 0xcb -- tick: 335725 -- hash: 415f51f1f035a1b713e730e4464e4033 item: 47 -- cmd: 0x4c -- length: 77 -- session key: 0x0001 -- target key: 0xaff7 -- second key: 0xffff -- result: 0xcc -- tick: 351714 -- hash: 5496a60d478c2b9c801d8d32ca66b554 item: 48 -- cmd: 0x00 -- length: 0 -- session key: 0xffff -- target key: 0x0000 -- second key: 0x0000 -- result: 0x00 -- tick: 0 -- hash: 14ac7747ba9bbb243cfc70befeb5349b item: 49 -- cmd: 0x03 -- length: 10 -- session key: 0xffff -- target key: 0x0001 -- second key: 0xffff -- result: 0x83 -- tick: 139 -- hash: b20a8f25c025e693a8e869b433294a20 item: 50 -- cmd: 0x04 -- length: 17 -- session key: 0xffff -- target key: 0x0001 -- second key: 0xffff -- result: 0x84 -- tick: 139 -- hash: ebfae425c319ac7a0afbb8b92597de7c item: 51 -- cmd: 0x67 -- length: 2 -- session key: 0x0001 -- target key: 0xffff -- second key: 0xffff -- result: 0xe7 -- tick: 697 -- hash: 2e395d1b706668737e1d2215813db47e ``` -------------------------------- ### U2F Registration Example Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.U2f.Commands.RegisterCommand.html Demonstrates how to perform a U2F registration using the RegisterCommand. It shows how to repeatedly send the command until the user confirms presence by touching the device. ```csharp IYubiKeyConnection connection = key.Connect(YubiKeyApplication.FidoU2f); byte[] challenge = new byte[32]; RandomNumberGenerator.Fill(challenge); byte[] appId = new byte[32]; RandomNumberGenerator.Fill(appId); RegisterCommand registerCommand = new RegisterCommand(challenge, appId); RegisterResponse registerResponse; do { registerResponse = fidoConnection.SendCommand(registerCommand); } while (registerResponse.Status == ResponseStatus.ConditionsNotSatisfied); RegistrationData data = registerResponse.GetData(); ``` -------------------------------- ### Get CHUID using GET DATA APDU Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/get-data.html This example demonstrates how to retrieve the CHUID from a YubiKey using the GET DATA APDU command. It first selects the PIV application and then sends the GET DATA command with the appropriate parameters for the CHUID data object. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:cb:3f:ff:05:5c:03:5f:c1:02 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 CB 3F FF 05 5C 03 5F C1 02 Received (SW1=0x90, SW2=0x00): 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 AD 64 BE AC 16 11 4A 56 93 A2 9D 58 3B 74 CB 44 35 08 32 30 33 30 30 31 30 31 3E 00 FE 00 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 AD 64 BE AC 16 11 4A 56 93 A2 9D 58 3B 74 CB 44 35 08 32 30 33 30 30 31 30 31 3E 00 FE 00 ``` -------------------------------- ### Swap Slot Configurations Example Source: https://docs.yubico.com/yesdk/users-manual/application-otp/commands-swap-slots.html Demonstrates swapping slot configurations using opensc-tool. This command first selects an application and then sends the command to swap slots. ```bash $ opensc-tool.exe -c default -r 1 -s 00:a4:04:00:08:a0:00:00:05:27:20:01:01 -s 00:01:06:00 Sending: 00 A4 04 00 08 A0 00 00 05 27 20 01 01 Received (SW1=0x90, SW2=0x00): 05 03 01 02 05 00 ...... Sending: 00 01 06 00 Received (SW1=0x90, SW2=0x00): 05 03 01 03 05 00 ...... ``` -------------------------------- ### Basic MSI Install via Command Line Source: https://docs.yubico.com/software/yubikey/tools/minidriver/_sources/md_manual_install.rst.txt Use this command for a basic installation of the YubiKey Minidriver MSI package. ```bash msiexec /i YubiKey-Minidriver-4.6.3.252-x64.msi ``` -------------------------------- ### Constructing GET DATA APDUs Source: https://docs.yubico.com/yesdk/users-manual/application-piv/commands.html Examples of how to construct APDUs for the GET DATA command with different tag lengths. These are used when interacting with the YubiKey at a low level. ```text 5C 01 7E 5C 02 7F 61 5C 03 5F C1 xx ``` -------------------------------- ### Interactive GET OPTION Command Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of using the 'get option' command in interactive mode to retrieve a device option, specifying session and option tag. ```bash yubihsm> get option e:session,o:option ``` -------------------------------- ### Store Authentication Key Example Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html This example demonstrates how to store a new Authentication Key using a specified password. It shows the command with all necessary parameters and the expected output indicating the stored key's ID. ```bash yubihsm> put authkey 0 0 authkey 1 generate-asymmetric-key,sign-pkcs sign-pkcs newpassword Stored Authentication key 0xbb72 ``` -------------------------------- ### Import Asymmetric Key Command Example Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Commands.ImportAsymmetricKeyCommand.html Demonstrates how to create and execute the ImportAsymmetricKeyCommand. Ensure the private key is cleared after the command is sent. ```csharp var privateKey = new PivEccPrivateKey(privateValue); IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv); var importKeyCommand = new ImportAsymmetricKeyCommand( privateKey, PivSlot.Signing, PivPinPolicy.Default, PivTouchPolicy.Default); ImportAsymmetricKeyResponse importAsymmetricKeyResponse = connection.SendCommand(importKeyCommand); if (importAsymmetricKeyResponse.Status != ResponseStatus.Success) { // Handle error } privateKey.Clear(); ``` -------------------------------- ### Interactive GET OPAQUE Command Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of using the 'get opaque' command in interactive mode to retrieve an object, specifying session, object ID, and an output file. ```bash yubihsm> get opaque e:session,w:object_id,F:file=- ``` -------------------------------- ### Example: Fetch Opaque Object and Save to PEM Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Demonstrates fetching an opaque object using the command-line tool and saving its PEM-encoded content to a file. ```bash $ yubihsm-shell -a get-opaque -i 0xe255 --out cert.pem ``` -------------------------------- ### Example: Requesting and Using a Temporary PIN Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Commands.VerifyTemporaryPinCommand.html Demonstrates how to request a temporary PIN using VerifyUvCommand and then use it to authenticate with VerifyTemporaryPinCommand. ```csharp /* This example assumes the application has a method to collect a PIN. */ IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv); /* request temporary PIN */ var verifyUvCommand = new VerifyUvCommand(true, false); /* a biometric verification will be performed */ var verifyUvResponse = connection.SendCommand(verifyUvCommand); if (verifyUvResponse.Status == ResponseStatus.Success) { var temporaryPin = verifyUvResponse.GetData(); /* using temporary PIN will not request biometric verification */ var verifyTemporaryPinCommand = new VerifyTemporaryPin(temporaryPin); var verifyResponse = connection.SendCommand(verifyTemporaryPinCommand); if (verifyResponse == ResponseStatus.Success) { /* session is authenticated */ } } ``` -------------------------------- ### Get ykman CLI Version on macOS Source: https://docs.yubico.com/software/yubikey/tools/ykman/Using_the_ykman_CLI.html Check the installed version of the ykman CLI on macOS. ```bash % ykman -v YubiKey Manager (ykman) version: 5.9.1 ``` -------------------------------- ### Example Wrap Key Share Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-tools-ksp.rst.txt This is an example of a key share presented on the screen during the wrap key generation process. It includes a prefix indicating the number of shares required and the share number. ```bash 2-1-691042965113bfa1a793d739df112703aec2801f0f20aecdcb847f6d6522118bb717b24e3efc3964b033133b995eb4556d725221 Have you saved the key share? ``` -------------------------------- ### Get ykman CLI Version on Windows Source: https://docs.yubico.com/software/yubikey/tools/ykman/Using_the_ykman_CLI.html Check the installed version of the ykman CLI on Windows. ```bash > ykman -v YubiKey Manager (ykman) version: 5.9.1 ``` -------------------------------- ### Example: Reading a Certificate Source: https://docs.yubico.com/software/yubikey/tools/pivtool/piv-tool-command.html Demonstrates how to read a certificate from slot 9a and display its content. ```bash $ yubico-piv-tool -a read-certificate -s 9a -----BEGIN CERTIFICATE----- MIIBuTCCAWCgAwIBAgIJAMOZXtijzEepMAoGCCqGSM49BAMCMDgxETAPBgNVBAMM CHBpdl9hdXRoMQ0wCwYDVQQLDAR0ZXN0MRQwEgYDVQQKDAtleGFtcGxlLmNvbTAe Fw0xOTA4MTMwODEwNDVaFw0yMDA4MTIwODEwNDVaMDgxETAPBgNVBAMMCHBpdl9h dXRoMQ0wCwYDVQQLDAR0ZXN0MRQwEgYDVQQKDAtleGFtcGxlLmNvbTBZMBMGByqG SM49AgEGCCqGSM49AwEHA0IABKPfSKeNY204JiHsSUwDAV8GuYqZOHfJJxrT4E0q VWsKdC5zwRc7xvb2YgbMonPW5BfIUi766/VwWN54UsqWVuWjUzBRMB0GA1UdDgQW BBR/bpCmGr+ark0VbGX5UvYWy9dM9DAfBgNVHSMEGDAWgBR/bpCmGr+ark0VbGX5 UvYWy9dM9DAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHZZe7Xm s6y8LKEBqGnbr1cbniHgMrvM1ST6GpL27HuaAiB+UwjI21GxIsd5r2avmwvT5LeZ gQBns9KNCIgkwx+/Iw== -----END CERTIFICATE----- ``` -------------------------------- ### Get Device Info Command Example Output (CLI) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example output from the 'yubihsm-shell -a get-device-info' command, showing version, serial, log usage, supported algorithms, and part number. ```bash $ yubihsm-shell -a get-device-info Version number: 2.4.0 Serial number: 123456 Log used: 14/62 Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384, rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256, rsa-pss-sha384, rsa-pss-sha512, rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, ecdsa-sha1, ecdh, rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512, aes128-ccm-wrap, opaque-data, opaque-x509-certificate, mgf1-sha1, mgf1-sha256, mgf1-sha384, mgf1-sha512, template-ssh, aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp, aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap, ecdsa-sha256, ecdsa-sha384, ecdsa-sha512, ed25519, ecp224, rsa-pkcs1-decrypt, ecp256-yubico-authentication, aes128, aes192, aes256, aes-ecb, aes-cbc, aes-kwp, Part number: 78CLUFX5000P ``` -------------------------------- ### Import Wrapped RSA Key (Interactive Mode - Example) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of importing an object from 'object.enc' using Wrap Key '0xcf94' with specific OAEP and MGF1 algorithms. ```bash yubihsm> put rsa_wrapped 0 0xcf94 rsa-oaep-sha384 mgf1-sha1 object.enc Object imported as 0x997e of type asymmetric ``` -------------------------------- ### Example: Reading a nested TLV with ReadEncoded Source: https://docs.yubico.com/yesdk/core-api/Yubico.Core.Tlv.TlvReader.html Demonstrates how ReadEncoded handles nested TLVs by returning the entire encoding of the outer TLV. The example shows reading a TLV starting at the beginning of the encoding. ```csharp 7C 0D 01 01 14 02 02 01 80 05 04 00 89 2C 33 This is a NestedTlv 7C 0D 01 01 14 02 02 01 80 05 04 00 89 2C 33__ ``` ```csharp encoded = reader.ReadEncoded(0x7C); This will return a new ReadOnlyMemory object that points to 7C 0D 01 01 14 02 02 01 80 05 04 00 89 2C 33 Length is 15 After the call, the internal position of the reader is at the position just after the last byte of the value, which is beyond the end of the full encoding.__ ``` -------------------------------- ### Example: Fetch Template Object and Save to File Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Demonstrates fetching template object with ID 0x7b19 and saving its content to a file named 'template.dat'. ```bash yubihsm> get template 0 0x7b19 template.dat ``` -------------------------------- ### Example: Verifying PIN with opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/verify.html This example demonstrates how to use the 'opensc-tool' command-line utility to send APDU commands for PIN verification. It shows the selection of an application and the subsequent PIN verification command with a sample PIN. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:20:00:80:08:31:32:33:34:35:36:ff:ff Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 20 00 80 08 31 32 33 34 35 36 FF FF Received (SW1=0x90, SW2=0x00) ``` -------------------------------- ### User Interface Example for PIN Collection Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/key-collector.html This example illustrates how to present messages to the user based on the `KeyEntryRequest`, `IsRetry`, and `RetriesRemaining` properties, guiding them through PIN entry and informing them about retry status and remaining attempts. ```text Enter the PIV PIN The previous PIN attempt failed. You have 4 attempts remaining before the PIN is blocked. PIN:_ OK CANCEL ``` -------------------------------- ### Command Line Mode: BLINK DEVICE Example Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of blinking the device's LED for 15 seconds using the command line interface. ```bash $ yubihsm-shell -a blink-device --duration 15 ``` -------------------------------- ### Get Metadata for PUK Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata.html Retrieves metadata for the PUK. This example illustrates the APDU commands and the metadata response for the PUK. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f7:00:81 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 F7 00 81 Received (SW1=0x90, SW2=0x00): 01 01 FF 05 01 01 06 02 05 05 01 01 FF 05 01 01 06 02 05 05 ``` -------------------------------- ### Example: Verifying PIN and Testing Decipher Source: https://docs.yubico.com/software/yubikey/tools/pivtool/piv-tool-command.html Demonstrates verifying the PIN and testing the decipher function, requiring PIN input and providing a certificate for encryption. ```bash $ yubico-piv-tool -a verify-pin -a test-decipher -s 9a Enter PIN: Successfully verified PIN. Please paste the certificate to encrypt for... -----BEGIN CERTIFICATE----- MIIBuTCCAWCgAwIBAgIJAMOZXtijzEepMAoGCCqGSM49BAMCMDgxETAPBgNVBAMM CHBpdl9hdXRoMQ0wCwYDVQQLDAR0ZXN0MRQwEgYDVQQKDAtleGFtcGxlLmNvbTAe Fw0xOTA4MTMwODEwNDVaFw0yMDA4MTIwODEwNDVaMDgxETAPBgNVBAMMCHBpdl9h dXRoMQ0wCwYDVQQLDAR0ZXN0MRQwEgYDVQQKDAtleGFtcGxlLmNvbTBZMBMGByqG SM49AgEGCCqGSM49AwEHA0IABKPfSKeNY204JiHsSUwDAV8GuYqZOHfJJxrT4E0q VWsKdC5zwRc7xvb2YgbMonPW5BfIUi766/VwWN54UsqWVuWjUzBRMB0GA1UdDgQW BBR/bpCmGr+ark0VbGX5UvYWy9dM9DAfBgNVHSMEGDAWgBR/bpCmGr+ark0VbGX5 UvYWy9dM9DAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHZZe7Xm s6y8LKEBqGnbr1cbniHgMrvM1ST6GpL27HuaAiB+UwjI21GxIsd5r2avmwvT5LeZ gQBns9KNCIgkwx+/Iw== -----END CERTIFICATE----- Successfully performed ECDH exchange with card. ``` -------------------------------- ### Get Metadata for PIN Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata.html Retrieves metadata for the PIN. This example shows the APDU commands and the resulting metadata for the PIN. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f7:00:80 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 F7 00 80 Received (SW1=0x90, SW2=0x00): 01 01 FF 05 01 01 06 02 05 05 01 01 FF 05 01 01 06 02 05 05 ``` -------------------------------- ### Navigate to Downloads Directory Source: https://docs.yubico.com/software/yubikey/tools/ykman/Using_the_ykman_GUI.html Change the current directory to your Downloads folder to access the installer. ```bash C:\Users\ > cd Downloads C:\Users\\Downloads > ``` -------------------------------- ### Example: Reading a sub-element with ReadEncoded Source: https://docs.yubico.com/yesdk/core-api/Yubico.Core.Tlv.TlvReader.html Illustrates reading a specific sub-element within a nested TLV structure using ReadEncoded. The example shows reading the second sub-element (tag 0x02) when the reader's position is at its start. ```csharp value = reader.ReadEncoded(0x02); This will return a new ReadOnlyMemory object that points to 02 02 01 80 Length is 4 After the call, the internal position of the reader is at the position just after the last byte of the value, which is the next TLV: 05 04 etc.__ ``` -------------------------------- ### Generate Asymmetric Key Example (Command Line Mode) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/_sources/hsm2-cmd-reference.rst.txt Example of generating a new asymmetric key using the secp256r1 algorithm in command-line mode. ```bash $ yubihsm-shell -a generate-asymmetric-key -i 0 -l eckey -d 1 -c sign-ecdsa -A ecp256 Generated Asymmetric key 0x2846 ``` -------------------------------- ### Display ykman CLI help information Source: https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html After installation, run this command in the terminal to display the ykman CLI's help message, including usage instructions and examples. This verifies the installation and provides quick access to command options. ```bash ~ % ykman -h Usage: ykman [OPTIONS] COMMAND [ARGS]... Configure your YubiKey via the command line. Examples: List connected YubiKeys, only output serial number: $ ykman list --serials Show information about YubiKey with serial number 123456: $ ykman --device 123456 info . . . ``` -------------------------------- ### Encrypt Data Example (Interactive) Source: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html Example of encrypting the string 'Hello world!' using Wrap Key '0x5b3a' in interactive mode. ```bash yubihsm> encrypt aesccm 0 0x5b3a "Hello world!" MRkj6B0AAAAAAAAAAoO4dkIeAYoPvwTV/M/JX1dwKnLqnERO1hSW4wPS ``` -------------------------------- ### Generate a new private key (Example 1: Self signed certificate on slot 9a) Source: https://docs.yubico.com/software/yubikey/tools/pivtool/index.html This example demonstrates generating a new private key in slot 9a and then creating a self-signed certificate for it. ```bash yubico-piv-tool --generate-key 9a --key-type "RSA2048" --pin-policy "once" --touch-policy "never" --selfsign-certificate 9a --subject "CN=Test User,OU=Test,O=Test" --valid-days 365 ``` -------------------------------- ### Example Usage of GetData Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Fido2.Commands.BioEnrollBeginResponse.html Demonstrates how to connect to a YubiKey, send a command to get CHUID data, and process the response if successful. ```csharp IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv); GetDataCommand getDataCommand = new GetDataCommand(PivDataTag.Chuid); GetDataResponse getDataResponse = connection.SendCommand(getDataCommand); if (getDataResponse.Status == ResponseStatus.Success) { byte[] getChuid = getDataResponse.GetData(); }__ ```