Merge branch 'main' into develop

Author: DennisDyallo

.github/workflows/build-nativeshims.yml

@@ -39,7 +39,13 @@ jobs:
           echo 'Running build script: Windows'
           cd Yubico.NativeShims
           if ("${{ github.event.inputs.version }}" -ne "") {
-            $baseVersion = "${{ github.event.inputs.version }}".Split('-')[0]
+            $versionInput = "${{ github.event.inputs.version }}"
+            if ($versionInput -like "*-*") {
+              $baseVersion = $versionInput.Split('-')[0]
+            } else {
+              Write-Warning "Version input does not contain a hyphen ('-'). Using the full version string as base version."
+              $baseVersion = $versionInput
+            }
             & ./build-windows.ps1 -Version $baseVersion
           } else {
             & ./build-windows.ps1

Yubico.Core/src/Yubico/PlatformInterop/Libraries.Net47.cs

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#if NET47
+#if NETFRAMEWORK
 
 using System;
 using System.IO;

Yubico.Core/src/Yubico/PlatformInterop/Libraries.cs

@@ -14,7 +14,7 @@
 
 // As long as we have the Libraries.Net47.cs class which holds the opposite preprocessor directive check,
 // this check is required - as having both at the same time is not possible.
-#if !NET47 
+#if !NETFRAMEWORK
 
 namespace Yubico.PlatformInterop
 {

Yubico.YubiKey/src/Yubico/YubiKey/ApplicationSession.cs

@@ -30,9 +30,13 @@ public abstract class ApplicationSession : IDisposable
     {
         /// <summary>
         /// The object that represents the connection to the YubiKey. Most
-        /// applications will ignore this, but it can be used to call Commands
+        /// applications will ignore this, but it can be used to issue commands
         /// directly.
         /// </summary>
+        /// <remarks> This property gives you direct access to the existing connection to the YubiKey using the
+        /// <see cref="IYubiKeyConnection"/> interface. To send your own commands, call the
+        /// <see cref="IYubiKeyConnection.SendCommand{TResponse}"/>
+        /// </remarks>
         public IYubiKeyConnection Connection { get; protected set; }
 
         /// <summary>

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/CredentialManagementCommand.cs

@@ -159,15 +159,11 @@ protected CredentialManagementCommand()
         /// <param name="authProtocol">
         /// The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public CredentialManagementCommand(
             int subCommand,
             byte[]? subCommandParams,
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
         {
             if (authProtocol is null)
             {
@@ -189,9 +185,7 @@ public CredentialManagementCommand(
 
             // The pinUvAuthToken is an encrypted value, so there's no need to
             // overwrite the array.
-            byte[] authParam = decryptAuthToken
-                ? authProtocol.AuthenticateUsingPinToken(pinUvAuthToken.ToArray(), message)
-                : authProtocol.Authenticate(pinUvAuthToken.ToArray(), message);
+            byte[] authParam = authProtocol.AuthenticateUsingPinToken(pinUvAuthToken, message);
 
             PinUvAuthParam = authParam;
             PinUvAuthProtocol = authProtocol.Protocol;
@@ -215,6 +209,35 @@ public CredentialManagementCommand(
             PinUvAuthParam = null;
         }
 
+        /// <summary>
+        /// Constructs a new instance of <see cref="CredentialManagementCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="subCommand">
+        /// The byte representing the subcommand to execute.
+        /// </param>
+        /// <param name="subCommandParams">
+        /// The parameters needed in order to execute the subcommand. Not all
+        /// subcommands have parameters, so this can be null.
+        /// </param>
+        /// <param name="pinUvAuthParam">
+        /// The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        /// The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public CredentialManagementCommand(
+            int subCommand,
+            byte[]? subCommandParams,
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+        {
+            SubCommand = subCommand;
+            _encodedParams = subCommandParams;
+            _protocol = (int)protocol;
+            PinUvAuthParam = pinUvAuthParam;
+            PinUvAuthProtocol = protocol;
+        }
+
         /// <summary>
         /// Creates a well-formed CommandApdu to send to the YubiKey.
         /// </summary>

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateCredentialsBeginCommand.cs

@@ -69,23 +69,58 @@ private EnumerateCredentialsBeginCommand()
         /// <param name="authProtocol">
         ///     The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public EnumerateCredentialsBeginCommand(
             RelyingParty relyingParty,
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
             : base(new CredentialManagementCommand(
-            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthToken, authProtocol, decryptAuthToken))
+            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthToken, authProtocol))
+        {
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateCredentialsBeginCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="relyingParty">
+        ///     The relying party for which the credential enumeration is requested.
+        /// </param>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateCredentialsBeginCommand(
+            RelyingParty relyingParty,
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(
+            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthParam, protocol))
         {
         }
 
         /// <inheritdoc />
         public EnumerateCredentialsBeginResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateCredentialsBeginResponse(responseApdu);
 
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of the subcommand byte plus encoded parameters.
+        /// </summary>
+        /// <param name="relyingParty">
+        /// The relying party for which the credential enumeration is requested.
+        /// </param>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage(RelyingParty relyingParty)
+        {
+            byte[] encodedParams = EncodeParams(relyingParty);
+            byte[] message = new byte[1 + encodedParams.Length];
+            message[0] = SubCmdEnumerateCredsBegin;
+            encodedParams.CopyTo(message, 1);
+            return message;
+        }
+
         // This method encodes the parameters. For
         // EnumerateCredentialsBeginCommand, the parameters consist of only the
         // rpIdHash, and it is encoded as

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateCredentialsGetNextCommand.cs

@@ -12,7 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Fido2.PinProtocols;
 
 namespace Yubico.YubiKey.Fido2.Commands
 {
@@ -56,6 +58,22 @@ public EnumerateCredentialsGetNextCommand()
         {
         }
 
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateCredentialsGetNextCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateCredentialsGetNextCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdGetEnumerateCredsGetNext, null, pinUvAuthParam, protocol))
+        {
+        }
+
         /// <inheritdoc />
         public EnumerateCredentialsGetNextResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateCredentialsGetNextResponse(responseApdu);

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateRpsBeginCommand.cs

@@ -60,19 +60,42 @@ private EnumerateRpsBeginCommand()
         /// <param name="authProtocol">
         ///     The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public EnumerateRpsBeginCommand(
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
-            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthToken, authProtocol, decryptAuthToken))
+            PinUvAuthProtocolBase authProtocol)
+            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthToken, authProtocol))
+        {
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateRpsBeginCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateRpsBeginCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthParam, protocol))
         {
         }
 
         /// <inheritdoc />
         public EnumerateRpsBeginResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateRpsBeginResponse(responseApdu);
+
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of only the subcommand byte.
+        /// </summary>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage()
+        {
+            return new byte[] { SubCmdEnumerateRpsBegin };
+        }
     }
 }

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateRpsBeginResponse.cs

@@ -72,9 +72,9 @@ public EnumerateRpsBeginResponse(ResponseApdu responseApdu)
         {
             var credentialManagementData = _response.GetData();
 
-            if (!(credentialManagementData.RelyingParty is null)
-                && !(credentialManagementData.RelyingPartyIdHash is null)
-                && !(credentialManagementData.TotalRelyingPartyCount is null))
+            if (credentialManagementData.RelyingParty is not null
+                && credentialManagementData.RelyingPartyIdHash is not null
+                && credentialManagementData.TotalRelyingPartyCount is not null)
             {
                 if (credentialManagementData.RelyingParty.IsMatchingRelyingPartyId(credentialManagementData.RelyingPartyIdHash.Value))
                 {

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/GetCredentialMetadataCommand.cs

@@ -51,26 +51,48 @@ private GetCredentialMetadataCommand()
         /// <param name="authProtocol">
         /// The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public GetCredentialMetadataCommand(
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
             : base(
                 new CredentialManagementCommand(
                     SubCmdGetMetadata,
                     null,
                     pinUvAuthToken,
-                    authProtocol,
-                    decryptAuthToken))
+                    authProtocol))
+        {
+
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="GetCredentialMetadataCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public GetCredentialMetadataCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdGetMetadata, null, pinUvAuthParam, protocol))
         {
-            
         }
 
         /// <inheritdoc />
         public GetCredentialMetadataResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new GetCredentialMetadataResponse(responseApdu);
+
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of only the subcommand byte.
+        /// </summary>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage()
+        {
+            return new byte[] { SubCmdGetMetadata };
+        }
     }
 }