### Complete Certificate Setup Example (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-certificates An example demonstrating a complete initial certificate setup for a YubiKey. This includes storing the full certificate chain, configuring CA information, and setting up an allowlist for enhanced security. Assumes an authenticated session and requires appropriate parameters. ```csharp // Example of complete setup using var session = new SecurityDomainSession(yubiKeyDevice, Scp03KeyParameters.DefaultKey); var keyRef = KeyReference.Create(ScpKeyIds.Scp11A, kvn); // Store full chain session.StoreCertificates(keyRef, certificateChain); // Configure CA var oceRef = KeyReference.Create(OceKid, kvn); session.StoreCaIssuer(oceRef, GetSkiFromCertificate(caCert)); // Set up allowlist session.StoreAllowlist(keyRef, allowedSerials); ``` -------------------------------- ### SCP11a Setup Example (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-certificates An example setup for the SCP11a protocol, which requires a full certificate chain and OCE certificates for mutual authentication. It demonstrates creating a session, defining a key reference, storing certificates, and configuring the OCE with CA issuer information. Requires an authenticated session. ```csharp // Setup with full chain for SCP11a using var session = new SecurityDomainSession(yubiKeyDevice, scp03Params); var keyRef = KeyReference.Create(ScpKeyIds.Scp11A, kvn); // Store certificates session.StoreCertificates(keyRef, certificates); // Configure OCE var oceRef = KeyReference.Create(OceKid, kvn); session.StoreCaIssuer(oceRef, skiBytes); ``` -------------------------------- ### PIV GET DATA Example (Conceptual) Source: https://docs.yubico.com/yesdk/users-manual/application-piv/get-and-put-data This conceptual example demonstrates how to use the GET DATA command with a specific tag to retrieve data from a PIV-compatible YubiKey. The returned byte array needs to be parsed by the caller to extract the relevant information. This approach is efficient as it uses a single command for multiple data elements. ```pseudocode // Example: Retrieve the 'Discovery' data element byte[] discoveryData = pIV.getData(PivDataTag.Discovery); // Parse discoveryData to get Application AID and PIN Usage Policy if (discoveryData != null) { // Parse the TLV structure of discoveryData // Extract Application AID (e.g., A000000308000010000100) // Extract PIN Usage Policy (e.g., xx yy) } // Example: Retrieve the 'Signing Cert' data element byte[] signingCertData = pIV.getData(PivDataTag.SigningCert); if (signingCertData == null || signingCertData.length == 0) { // Handle 'NoData' scenario print("Signing certificate not found."); } ``` -------------------------------- ### SCP11b Basic Setup Example (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-certificates A basic setup example for the SCP11b protocol, which does not require mutual authentication. This example demonstrates creating a session and storing only the device certificate, suitable for scenarios where host authentication is not needed. Requires an authenticated session. ```csharp // Basic SCP11b setup using var session = new SecurityDomainSession(yubiKeyDevice, scp03Params); var keyRef = KeyReference.Create(ScpKeyIds.Scp11B, kvn); // Only store device certificate session.StoreCertificates(keyRef, new[] { deviceCert }); ``` -------------------------------- ### Initial YubiKey Provisioning for Production Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-tasks Guides through the initial provisioning of a YubiKey for production deployment. This involves preparing SCP03 keys and SCP11 credentials, configuring the YubiKey, and validating the setup. ```csharp var scp03Keys = GenerateSecureKeys(); var (privateKey, publicKey, certificates) = GenerateScp11Credentials(); ``` -------------------------------- ### SCP11a Mutual Authentication Setup Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol This snippet demonstrates the full setup for SCP11a mutual authentication. It involves generating a new key pair on the YubiKey, configuring an off-card entity (OCE), and establishing a secure session using SCP11a parameters. Requires the `YubiNet.YubiKey` library. ```csharp using var session = new SecurityDomainSession(yubiKeyDevice, Scp03KeyParameters.DefaultKey); const byte kvn = 0x03; var keyRef = KeyReference.Create(ScpKeyIds.Scp11A, kvn); // Generate new key pair on YubiKey var newPublicKey = session.GenerateEcKey(keyRef); // Setup off-card entity (OCE) var oceRef = KeyReference.Create(OceKid, kvn); var ocePublicKey = new ECPublicKeyParameters(oceCerts.Ca.PublicKey.GetECDsaPublicKey()); session.PutKey(oceRef, ocePublicKey); // Store CA identifier var ski = GetSubjectKeyIdentifier(oceCerts.Ca); session.StoreCaIssuer(oceRef, ski); // Create SCP11a parameters var scp11Params = new Scp11KeyParameters( keyRef, new ECPublicKeyParameters(newPublicKey.Parameters), oceRef, new ECPrivateKeyParameters(privateKey), certChain); // Use the secure connection using var session = new SecurityDomainSession(yubiKeyDevice, scp11Params); ``` -------------------------------- ### Add Yubico.YubiKey NuGet package using dotnet CLI Source: https://docs.yubico.com/yesdk/users-manual/getting-started/how-to-install Use the 'dotnet add package' command to install the Yubico.YubiKey SDK into your .NET project. This command requires the path to your project file. ```bash dotnet add package Yubico.YubiKey ``` -------------------------------- ### PIV PUT DATA Example (Conceptual) Source: https://docs.yubico.com/yesdk/users-manual/application-piv/get-and-put-data This conceptual example illustrates how to use the PUT DATA command to write or update data associated with a specific PIV data tag on a YubiKey. The SDK allows flexibility in data format for PUT DATA operations, but validation is recommended if strict adherence to PIV standard formats is required. ```pseudocode // Example: Put data into the 'Printed' element byte[] printedData = new byte[] { /* arbitrary data */ }; pIV.putData(PivDataTag.Printed, printedData); // Example: Put data into a vendor-defined tag (e.g., tag 0xFF01) byte[] vendorData = new byte[] { /* application-specific data */ }; pIV.putData(PivDataTag.VendorDefined(0xFF01), vendorData); // Note: If strict format compliance is needed, validate 'printedData' and 'vendorData' // against the expected PIV standard formats before calling putData. ``` -------------------------------- ### PIV Get Version Command Example Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/commands Illustrates how to execute a specific PIV command, 'Get Version', using the SDK. It involves creating an instance of VersionCommand and then using the SendCommand method via a connection object to retrieve the VersionResponse. ```csharp VersionCommand versionCommand = new VersionCommand(); VersionResponse versionResponse = connection.SendCommand(versionCommand); ``` -------------------------------- ### Get Device Info Response APDU Example Source: https://docs.yubico.com/yesdk/users-manual/application-u2f/u2f-commands Provides an example of a response APDU for the 'Get device info' command. The response begins with the length of the device info data, followed by TLV-encoded information elements. ```plaintext 2e 01 02 02 3f 03 02 02 3f 02 04 00 b5 fe 55 04 01 01 05 03 05 04 02 06 02 00 00 07 01 0f 08 01 00 0d 02 02 3f 0e 02 02 3f 0a 01 00 0f 01 00 ``` -------------------------------- ### Import Yubico.YubiKey namespace in C# Source: https://docs.yubico.com/yesdk/users-manual/getting-started/how-to-install Include the Yubico.YubiKey namespace at the top of your C# source file to begin using the YubiKey SDK functionalities. ```csharp using Yubico.YubiKey; ``` -------------------------------- ### SCP11b Example in C# Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol Provides an example of implementing the SCP11b variant in C#, where the YubiKey authenticates to the host. This involves retrieving certificates stored on the YubiKey, verifying the certificate chain, creating Scp11KeyParameters using the leaf certificate's public key, and initiating a PIV session. ```csharp var keyReference = KeyReference.Create(ScpKeyIds.Scp11B, 0x1); IReadOnlyCollection certificateList; using (var session = new SecurityDomainSession(yubiKeyDevice)) { certificateList = session.GetCertificates(keyReference); } CertificateChainVerifier.Verify(certificateList) var leaf = certificateList.Last(); var ecDsaPublicKey = leaf.PublicKey.GetECDsaPublicKey()!.ExportParameters(false); var keyParams = new Scp11KeyParameters( keyReference, new ECPublicKeyParameters(ecDsaPublicKey)); using var pivSession = new PivSession(yubiKeyDevice, keyParams); ``` -------------------------------- ### Example TLV Structure Source: https://docs.yubico.com/yesdk/users-manual/support/support-tlv Illustrates a basic Tag-Length-Value (TLV) byte array structure, showing the components: tag, length, and value. This serves as a foundational example for understanding TLV encoding. ```text 08 04 72 26 9A 33 ^ | tag ``` -------------------------------- ### Yubico-defined GET DATA elements empty upon manufacture Source: https://docs.yubico.com/yesdk/users-manual/application-piv/commands Lists Yubico-defined GET DATA elements that are initially empty and require PUT DATA to be populated. Includes tags, meanings, and authentication needs. Examples: ADMIN DATA, MSCMAP. ```markdown Table 5B: Yubico-defined GET DATA elements empty upon manufacture Name | Tag | Meaning | Authentication Required | Data Returned ---|---|---|---|--- ADMIN DATA | 5F FF 00 | PIV manager application administrative data | PUT: mgmt key GET: none | Encoded admin data MSCMAP | 5F FF 10 | Microsoft container map | PUT: mgmt key GET: none | MSCMAP MSROOTS1 to MSROOTS5 | 5F FF 11 through 5F FF 15 | Microsoft root certs | PUT: mgmt key GET: none | MSROOTS ``` -------------------------------- ### Yubico-defined GET DATA elements available upon manufacture Source: https://docs.yubico.com/yesdk/users-manual/application-piv/commands Lists Yubico-defined GET DATA elements present on the YubiKey upon manufacture, including their tags, meanings, and authentication requirements. Example: ATTESTATION (5F FF 01). ```markdown Table 5A: Yubico-defined GET DATA elements available upon manufacture Name | Tag | Meaning | Authentication Required | Data Returned ---|---|---|---|--- ATTESTATION | 5F FF 01 | Attestation cert | PUT: mgmt key GET: none | Encoded certificate ``` -------------------------------- ### Query Key Information (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-keys Provides an example of retrieving information about all installed keys on the YubiHSM 2. It iterates through the results, displaying the KeyReference (ID and Version). ```csharp // Get information about installed keys var keyInfo = session.GetKeyInformation(); foreach (var entry in keyInfo) { var keyRef = entry.Key; // KeyReference containing ID and Version var components = entry.Value; // Dictionary of key components Console.WriteLine($"Key {keyRef.Id:X2}:{keyRef.VersionNumber:X2}"); } ``` -------------------------------- ### opensc-tool Set Management Key Example Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/set-mgmt-key This example demonstrates how to use the `opensc-tool` command-line utility to set a management key on a YubiKey. It includes the commands sent to select the application and then set the management key, along with the expected responses for both success and authentication failure. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:FF:FF:FF:1B:03:9B:18:01:02:03:04:05:06:07:08: 08:07:06:05:04:03:02:01: 08:07:06:05:04:03:02:01 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 FF FF FF 1B 03 9B 18 01 02 03 04 05 06 07 08 08 07 06 05 04 03 02 01 08 07 06 05 04 03 02 01 Received (SW1=0x69, SW2=0x82) ``` -------------------------------- ### Complete YubiKey SCP03 Key Management Flow (C#) Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol Illustrates a comprehensive workflow for managing SCP03 key sets on a YubiKey. It begins with the default keys, adds the first custom key set (which removes defaults), authenticates with the new keys, adds a second key set, and retrieves key information. This example highlights the lifecycle of key management, including adding and checking key sets. ```csharp // Start with default keys var defaultScp03Params = Scp03KeyParameters.DefaultKey; var firstKvn = 0x1; var keyRef1 = KeyReference.Create(ScpKeyIds.Scp03, firstKvn); using (var session = new SecurityDomainSession(yubiKeyDevice, defaultScp03Params)) { // Add first custom key set (removes default) session.PutKey(keyRef1, newKeys); } // Now authenticate with new keys var newScp03Params = new Scp03KeyParameters(keyRef1, newKeys); using (var session = new SecurityDomainSession(yubiKeyDevice, newScp03Params)) { // Add second key set var secondKvn = 0x2; var keyRef2 = KeyReference.Create(ScpKeyIds.Scp03, secondKvn); session.PutKey(keyRef2, customKeys2); // Check current key information var keyInfo = session.GetKeyInformation(); } ``` -------------------------------- ### YubiKey PIV: Fetching Attestation Certificate Data Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/attest This example demonstrates the sequence of commands to retrieve an attestation certificate from a YubiKey, which may be returned in multiple chunks. It shows the initial command to get the certificate, followed by GET RESPONSE APDU commands to fetch subsequent parts of the certificate data until the complete certificate is retrieved. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 \ -s 00:f9:9c:00 -s 00:c0:00:00 -s 00:c0:00:00 -s 00:c0:00:00 # Example output showing certificate data being fetched: Sending: 00 F9 9C 00 Received (SW1=0x90, SW2=0x00): 30 82 03 20 30 82 02 08 A0 03 02 01 02 02 10 01 ... Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): 3A 2B 84 C0 0B 64 8B 4B 74 48 BC 8E 8A 94 E7 92 ... Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): 0F 06 0A 2B 06 01 04 01 82 C4 0A 03 09 04 01 01 ... Sending: 00 C0 00 00 Received (SW1=0x90, SW2=0x00): F5 F8 57 04 B9 4C 6B CD D8 9C D1 65 1C 20 E9 0C ... ``` -------------------------------- ### opensc-tool Example: YubiKey Key Agreement Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/auth-key-agree This example demonstrates how to perform a key agreement operation using the `opensc-tool` utility with a YubiKey. It shows the sequence of commands, including selecting the application, verifying a PIN, and sending the AUTHENTICATE command with the necessary APDU data, along with the received response. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:20:00:80:08:31:32:33:34:35:36:ff:ff -s 00:87:11:90:47:7c:45:82:00:85:41: 04:65:2D:C5:8C:DC:1F:09:11:50:DB:91:F5:F5:8C:A5:32: A5:09:75:E2:34:20:79:09:10:C7:0F:E3:A3:AB:86:DC: EA:9C:70:9F:56:06:3B:CD:22:47:F7:D7:D5:7C:92:5C: 8F:CF:F2:A2:A8:9A:E2:86:00:CA:9A:C1:5E:2A:10:D2 Using reader with a card: Yubico YubiKey FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 20 00 80 08 31 32 33 34 35 36 FF FF Received (SW1=0x90, SW2=0x00) Sending: 00 87 11 90 47 7C 45 82 00 85 41 04 65 2D C5 8C DC 1F 09 11 50 DB 91 F5 F5 8C A5 32 A5 09 75 E2 34 20 79 09 10 C7 0F E3 A3 AB 86 DC EA 9C 70 9F 56 06 3B CD 22 47 F7 D7 D5 7C 92 5C 8F CF F2 A2 A8 9A E2 86 00 CA 9A C1 5E 2A 10 D2 Received (SW1=0x90, SW2=0x00): 7C 22 82 20 71 64 DC 80 F1 6A EE 96 98 AE 13 CE 84 62 C9 C4 1B 52 BA C3 E7 0C E3 13 79 F5 31 FE 5A 96 1C 1A ``` -------------------------------- ### Install PCSC-lite for Smart Card Communication Source: https://docs.yubico.com/yesdk/users-manual/getting-started/running-on-linux Installs the PCSC-lite library, essential for communicating with smart card readers and YubiKey applications like OATH, PIV, and OpenPGP. It provides commands for both APT and YUM based distributions. ```shell # For APT based distros (e.g. Debian, Ubuntu): sudo apt install pcscd # For YUM based distros (e.g. RedHat, CentOS): sudo yum install pcsc-lite ``` -------------------------------- ### Start and Enable pcscd.socket on Arch Linux Source: https://docs.yubico.com/yesdk/users-manual/yubikey-reference/transports/overview Commands to enable and start the 'pcscd.socket' service on Arch Linux. This ensures the PC/SC daemon is running and will start automatically on boot, which is necessary for the system to manage smart card readers like the YubiKey. ```bash sudo systemctl enable --now pcscd.socket sudo systemctl start --now pcscd.socket ``` -------------------------------- ### Verify PIN Command APDU Example Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/verify This snippet shows an example of using the `opensc-tool` command to send a VERIFY PIN command to a YubiKey. It includes the command APDU for selecting an application and then the command APDU for verifying the PIN. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:20:00:80:08:31:32:33:34:35:36:ff:ff Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 20 00 80 08 31 32 33 34 35 36 FF FF Received (SW1=0x90, SW2=0x00) ``` -------------------------------- ### Set PIN Retries Example (Conceptual) Source: https://docs.yubico.com/yesdk/users-manual/application-piv/commands This conceptual example demonstrates setting the PIN and PUK retry counts. It illustrates the state before and after the command execution, highlighting the change in retry counts and the reset of PIN/PUK values. This command requires prior management key authentication and PIN verification. ```text Before command execution: current PIN: 7777777 retry count: 3 current PUK: 88888888 retry count: 3 Call this command to set the PIN retry count to 5 and the PUK retry count to 2. After successful completion of the command: current PIN: 123456 retry count: 5 current PUK: 12345678 retry count: 2 ``` -------------------------------- ### Echo Command Inner APDU Example Source: https://docs.yubico.com/yesdk/users-manual/application-u2f/u2f-commands An example of an inner APDU for the Echo command, demonstrating how 8 bytes of data are formatted. This inner command is then wrapped within a CTAP1 message. ```plaintext 00 40 00 00 08 11 22 33 44 55 66 77 88 ``` -------------------------------- ### OTP Application with Secure Channel (SCP03 and SCP11b) Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol Provides examples for securing OTP (One-Time Password) sessions on a YubiKey using SCP03 or SCP11b. SCP03 leverages static keys for secure communication, while SCP11b uses defined key parameters. This ensures the integrity of OTP-related commands. ```csharp // Using SCP03 StaticKeys scp03Keys = RetrieveScp03KeySet(); // Your static keys using Scp03KeyParamaters scp03Params = Scp03KeyParameters.FromStaticKeys(scp03Keys); using (var otpSession = new OtpSession(yubiKeyDevice, scp03params)) { // All otpSession-commands are now automatically protected by SCP03 } // Using SCP11b var keyReference = KeyReference.Create(ScpKeyIds.Scp11B, kvn); using (var otpSession = new OtpSession(yubiKeyDevice, scp11Params)) { // All OtpSession-commands are now automatically protected by SCP11 } ``` -------------------------------- ### Certificate Rotation Example (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-security-domain/security-domain-certificates An example illustrating how to perform certificate rotation on a YubiKey. This involves storing a new certificate chain and updating the allowlist if necessary. Assumes an existing authenticated session and valid key references. ```csharp using var session = new SecurityDomainSession(yubiKeyDevice, scpParams); // Store new certificates session.StoreCertificates(keyRef, newCertificateChain); // Update allowlist if needed session.StoreAllowlist(keyRef, newAllowedSerials); ``` -------------------------------- ### Verify Temporary PIN with Biometrics Example Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Commands Demonstrates how to use VerifyUvCommand to request a temporary PIN and then use that PIN with VerifyTemporaryPinCommand for authentication. This example assumes a method exists for collecting the PIN and requires a YubiKeyConnection. ```csharp /* This example assumes the application has a method to collect a PIN. */ IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv); /* request temporary PIN */ var verifyUvCommand = new VerifyUvCommand(true, false); /* a biometric verification will be performed */ var verifyUvResponse = connection.SendCommand(verifyUvCommand); if (verifyUvResponse.Status == ResponseStatus.Success) { var temporaryPin = verifyUvResponse.GetData(); /* using temporary PIN will not request biometric verification */ var verifyTemporaryPinCommand = new VerifyTemporaryPin(temporaryPin); var verifyResponse = connection.SendCommand(verifyTemporaryPinCommand); if (verifyResponse == ResponseStatus.Success) { /* session is authenticated */ } } ``` -------------------------------- ### Install pcsclite on Debian/Ubuntu Source: https://docs.yubico.com/yesdk/users-manual/yubikey-reference/transports/overview Provides the command to install the 'pcsclite' library on Debian or Ubuntu-based Linux distributions. This library is essential for enabling smart card communication with the YubiKey on these systems. It includes the necessary components for PC/SC integration. ```bash apt-get install libpcsclite1 ``` -------------------------------- ### Get Protocol Version Response APDU Example Source: https://docs.yubico.com/yesdk/users-manual/application-u2f/apdu/get-protocol-version This snippet shows an example of the raw byte data returned from the YubiKey when requesting the protocol version. The bytes represent ASCII characters forming a version string. ```hex 0x55 32 46 5F 56 32 ``` -------------------------------- ### Add Yubico.YubiKey NuGet package manually to project file Source: https://docs.yubico.com/yesdk/users-manual/getting-started/how-to-install Manually add a PackageReference to the Yubico.YubiKey SDK within the .csproj file of your project. Ensure the Version attribute is set to the latest SDK version. ```xml Exe net5.0 ``` -------------------------------- ### Direct YubiKey Connection using Connect and TryConnect Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol Explains how to establish direct connections to YubiKey applications using `Connect` and `TryConnect`. The `Connect` method takes an application ID and security parameters, while `TryConnect` offers a boolean return for success, allowing for conditional use of the connection. ```csharp // Using application ID using var connection = yubiKeyDevice.Connect( applicationId, // byte array for ISO7816 applicationId Scp03KeyParameters.DefaultKey); // Using YubiKeyApplication enum using var connection = yubiKeyDevice.Connect( YubiKeyApplication.Piv, scp11Parameters); // Try pattern if (yubiKeyDevice.TryConnect( YubiKeyApplication.Oath, scpParameters, out var connection)) { using (connection) { // Use connection } } ``` -------------------------------- ### Execute GET DATA APDU with opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/get-data This example demonstrates how to use the `opensc-tool` command-line utility to send a GET DATA APDU to a YubiKey. It shows the command APDU sent and the subsequent response APDU received, including data and status words. This is useful for retrieving specific data objects from the YubiKey. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:cb:3f:ff:05:5c:03:5f:c1:02 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 CB 3F FF 05 5C 03 5F C1 02 Received (SW1=0x90, SW2=0x00): 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 AD 64 BE AC 16 11 4A 56 93 A2 9D 58 3B 74 CB 44 35 08 32 30 33 30 30 31 30 31 3E 00 FE 00 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 AD 64 BE AC 16 11 4A 56 93 A2 9D 58 3B 74 CB 44 35 08 32 30 33 30 30 31 30 31 3E 00 FE 00 ``` -------------------------------- ### CBOR Encoding for Successful Response Data Source: https://docs.yubico.com/yesdk/users-manual/application-fido2/apdu/get-cred-metadata Provides an example of the CBOR encoding found in the data field of a successful Response APDU. This structure contains integer fields that represent the retrieved information, similar to the example provided. ```cbor A2 01 --int-- 02 --int-- ``` -------------------------------- ### Find and Choose First YubiKey Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/making-a-connection This function finds all YubiKeys connected to the host machine and returns the first one found. It utilizes the `YubiKeyDevice.FindAll()` method to enumerate devices. The primary dependency is the YubiKey SDK. It returns an `IYubiKeyDevice` object or null if no devices are found. ```csharp // Chooses the first YubiKey found on the computer. IYubiKeyDevice? SampleChooseYubiKey() { IEnumerable list = YubiKeyDevice.FindAll(); return list.First(); } ``` -------------------------------- ### Create PIV Session Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/making-a-connection This code snippet demonstrates how to create a PIV session with a selected YubiKey device. It first obtains an `IYubiKeyDevice` using a helper function (like `SampleChooseYubiKey`) and then instantiates `PivSession`. The YubiKey SDK is a prerequisite. It handles cases where no YubiKey is found and ensures the session is properly disposed of via `using`. ```csharp IYubiKeyDevice? yubiKeyToUse = SampleChooseYubiKey(); if (yubiKeyToUse is null) { // handle case where no YubiKey was found. } using var pivSession = new PivSession(yubiKeyToUse); ``` -------------------------------- ### Establish YubiKey Connection for PIV Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/making-a-connection Obtains an IYubiKeyDevice and establishes a connection to it for the PIV application. This connection allows direct execution of PIV commands. Ensure a YubiKey is present and handled if no device is found. ```csharp IYubiKeyDevice? yubiKeyToUse = SampleChooseYubiKey(); if (yubiKeyToUse is null) { // handle case where no YubiKey was found. } IYubiKeyConnection connection = yubiKeyToUse.Connect(YubiKeyApplication.Piv); ``` -------------------------------- ### Retrieve Blocked Reset Applications with ResetBlocked() Source: https://docs.yubico.com/yesdk/users-manual/getting-started/whats-new Gets a list of YubiKey applications that are blocked from being reset. This helps in understanding reset limitations. Requires firmware 5.7+. ```csharp Yubico.YubiKey.Device.Commands.ResetBlockedCommand command = new Yubico.YubiKey.Device.Commands.ResetBlockedCommand(); var result = yubiKey.SendCommand(command); var blockedApps = result.GetData(); ``` -------------------------------- ### Get YubiKey Serial Number using opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-otp/commands-get-serial This example demonstrates how to obtain the YubiKey serial number using the 'opensc-tool.exe' utility. It involves sending specific command APDUs to the YubiKey and parsing the response. This method is suitable for systems where opensc-tool is available. ```bash $ opensc-tool.exe -c default -r 1 -s 00:a4:04:00:08:a0:00:00:05:27:20:01:01 -s 00:01:10:00 Sending: 00 A4 04 00 08 A0 00 00 05 27 20 01 01 Received (SW1=0x90, SW2=0x00): 04 03 07 03 07 00 06 0F 00 00 .......... Sending: 00 01 10 00 Received (SW1=0x90, SW2=0x00): 00 6B 95 6A .k.j // Serial Number: 7050602 ``` -------------------------------- ### Get Firmware Version using opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/version This example demonstrates how to retrieve the YubiKey's firmware version using the `opensc-tool` utility. It sends specific APDU commands to the YubiKey and interprets the response to extract the version number. No external libraries are required beyond `opensc-tool`. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:fd:00:00 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 FD 00 00 Received (SW1=0x90, SW2=0x00): 05 02 04 In this case, the version number is 5.2.4 ``` -------------------------------- ### Manage YubiKey Security Domain Sessions (C#) Source: https://docs.yubico.com/yesdk/users-manual/sdk-programming-guide/secure-channel-protocol Provides methods for managing SCP configurations within a YubiKey security domain. This includes retrieving key information, storing certificates and allowlists for SCP11, importing private and public keys, and resetting the device to factory defaults. Note: Using DefaultKey in production is insecure. ```csharp using var session = new SecurityDomainSession(yubiKeyDevice, Scp03KeyParameters.DefaultKey); // Get information about installed keys var keyInfo = session.GetKeyInformation(); // Store certificates for SCP11 session.StoreCertificates(keyReference, certificates); // Manage allowed certificate serials session.StoreAllowlist(keyReference, allowedSerials); // Import private key session.PutKey(keyReference, privateKeyParameters) // Import public key session.PutKey(keyReference, publicKeyParameters) // Reset to factory defaults session.Reset(); ``` -------------------------------- ### Response APDU Chaining Example (GET RESPONSE) Source: https://docs.yubico.com/yesdk/users-manual/yubikey-reference/apdu Illustrates response APDU chaining when the YubiKey returns more than 256 bytes. The initial response with SW1='61' indicates remaining data, prompting the host to send a GET RESPONSE APDU (00 c0 00 00) to retrieve the rest. ```text command APDU: 00 cb 3f ff 05 5c 03 5f ff 01 response APDU: 53 82 02 f5 ... 61 ff command APDU: 00 c0 00 00 response APDU: a9 e9 c1 5b ... 61 f9 command APDU: 00 c0 00 00 response APDU: 28 42 e5 8d ... 90 00 __ ``` -------------------------------- ### Get Management Key Metadata using opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata This example shows how to fetch metadata for the Management Key (slot 9B). It involves selecting the PIV application and then reading data from slot 9B. The output includes the raw APDU response and the parsed TLV structure of the retrieved metadata. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f7:00:9b Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 F7 00 9B Received (SW1=0x90, SW2=0x00): 01 01 03 02 02 00 01 05 01 00 01 01 03 02 02 00 01 05 01 00 __ ``` -------------------------------- ### Instantiate PinUvAuthProtocolOne Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Fido2.PinProtocols Constructs a new instance of the PinUvAuthProtocolOne class. This is the basic constructor and does not require any parameters. ```csharp public PinUvAuthProtocolOne() ``` -------------------------------- ### Get Attestation Key Metadata using opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata This snippet demonstrates how to retrieve metadata for the Attestation Key. It involves selecting the PIV application and then reading data from slot F9, which corresponds to the Attestation Key. The output shows the raw APDU response, although the metadata content is truncated in the provided example. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f7:00:f9 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 F7 00 F9 Received (SW1=0x90, SW2=0x00): ``` -------------------------------- ### Get PUK Metadata using opensc-tool Source: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata This example shows how to retrieve metadata associated with the PUK (Personal Unblocking Key). It involves selecting the PIV application and then reading data from slot 81, which pertains to PUK information. The output includes the raw APDU response and the parsed TLV structure of the PUK metadata. ```bash $ opensc-tool -c default -s 00:a4:04:00:09:a0:00:00:03:08:00:00:10:00 -s 00:f7:00:81 Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 Received (SW1=0x90, SW2=0x00): 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 Sending: 00 F7 00 81 Received (SW1=0x90, SW2=0x00): 01 01 FF 05 01 01 06 02 05 05 01 01 FF 05 01 01 06 02 05 05 __ ``` -------------------------------- ### SetLegacyDeviceConfigCommand Constructors Source: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Otp.Commands Provides information on how to instantiate the SetLegacyDeviceConfigCommand class. There are two constructors available: one that copies an existing base command and another that initializes a new command with specific configuration parameters. ```APIDOC ## SetLegacyDeviceConfigCommand Constructors ### SetLegacyDeviceConfigCommand(SetLegacyDeviceConfigBase) Creates a new SetLegacyDeviceConfigCommand from another object which derives from SetLegacyDeviceConfigBase. #### Parameters - **baseCommand** (SetLegacyDeviceConfigBase) - The SetLegacyDeviceConfig base command object to copy from. #### Remarks This constructor can be useful to switch between different application-specific implementations of the same base command. ### SetLegacyDeviceConfigCommand(YubiKeyCapabilities, byte, bool, int) Initializes a new instance of the SetLegacyDeviceConfigCommand class. #### Parameters - **yubiKeyInterfaces** (YubiKeyCapabilities) - Value for YubiKeyInterfaces. - **challengeResponseTimeout** (byte) - Value for ChallengeResponseTimeout. - **touchEjectEnabled** (bool) - Value for TouchEjectEnabled. - **autoEjectTimeout** (int) - Value for AutoEjectTimeout. #### Remarks This command sends all configuration settings every time. Therefore all values must be provided every time. #### Exceptions - **ArgumentException** - Thrown if `yubiKeyInterfaces` contains unsupported flags. - **ArgumentOutOfRangeException** - Thrown when `autoEjectTimeout` is out of the valid range. ``` -------------------------------- ### Yubico.NET SDK: Verify NuGet Package with GitHub Attestations Source: https://docs.yubico.com/yesdk/users-manual/getting-started/whats-new Demonstrates how to verify the integrity of a Yubico.NET SDK NuGet package using GitHub Attestations. This method helps ensure the package was generated from the official repository. ```bash gh attestation verify .\Yubico.Core.1.12.0.nupkg --repo Yubico/Yubico.NET.SDK ``` -------------------------------- ### Get All OATH Credentials Source: https://docs.yubico.com/yesdk/users-manual/application-oath/oath-session This code snippet illustrates how to retrieve all configured OATH credentials from a YubiKey using the oathSession.GetCredentials() method. It also shows an example of filtering these credentials using LINQ. ```csharp IList credentials = oathSession.GetCredentials(); // Use LINQ to filter credentials by credential's type List filteredCredentials = oathSession.GetCredentials().Where(credential => credential.Type == CredentialType.Totp).ToList(); ``` -------------------------------- ### Making a Connection to a YubiKey (C#) Source: https://docs.yubico.com/yesdk/users-manual/application-piv/migrate-smartcardnet This snippet demonstrates how to find and establish a connection to a YubiKey using the SDK. It contrasts with the older SmartCard.NET API's method of enumerating devices. The SDK requires specifying the desired application, such as PIV, to create a session. ```C# IEnumerable smartCardList = YkSmartCard.GetSmartCards(); YkSmartCard ykSmartCard = smartCardList.First(); ``` ```C# IEnumerable yubiKeyList = YubiKeyDevice.FindAll(); IYubiKeyDevice yubiKeyToUse = yubiKeyList.First(); using var pivSession = new PivSession(yubiKeyToUse); ```