Yubico.NET.SDK icon indicating copy to clipboard operation
Yubico.NET.SDK copied to clipboard

Published 20 hours ago verified publisher icon Yubico

CHUID support ?

Open ghostidentity opened this issue 1 year ago • 7 comments

Hello,

I want to know if the sdk has support to create chuid on the device ?

Thanks.

ghostidentity avatar Dec 19 '23 10:12 ghostidentity

Check this out https://github.com/Yubico/Yubico.NET.SDK/issues/4

DSBloom avatar Jan 02 '24 22:01 DSBloom

Thanks @DSBloom 😄

Yes - the documentation you're looking for is here:

  • Object for representing / creating a CHUID: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Objects.CardholderUniqueId.html
  • Method for writing the CHUID: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.PivSession.WriteObject.html

GregDomzalski avatar Jan 03 '24 02:01 GregDomzalski

Thank you ! I figured it out. image

ghostidentity avatar Jan 03 '24 10:01 ghostidentity

I'd like to ask why the expiration date is set to constant 2030 ? The company will likely issue 1 yubikey for each employee which will have employment of more than 10 years ?

Will it trigger an issue of reading chuid value if the expiration date is expired ?

ghostidentity avatar Jan 03 '24 10:01 ghostidentity

Thanks for sharing your code for others!

Well, that's a great question.

The short answer is: it looks like the original developer simply mimicked what our ykpiv C library does. Generally, when we were building out this .NET library, we relied heavily on the existing C library implementations' behavior as they tend to be what we consider the "reference" implementations.

So why does the C library do this? I don't know. I will reach out to our PIV experts and see if I can get an answer for you.

GregDomzalski avatar Jan 03 '24 16:01 GregDomzalski

Thank you, hopefully the SDK can be updated to allow expiration date to be updatable.

ghostidentity avatar Jan 03 '24 16:01 ghostidentity

Hi - so I was able to follow up with the developer of the C ypkiv library where this behavior came from. The answer was essentially that, at the time, they saw people mostly caring about setting the unique ID part of the CHUID and not much else - so they picked the rest of the values so the caller would not need to compute things like the signature and CRC. At the time (this was a few years ago), 2030 seemed "far enough away" 😄

So, long story short, it seems like you should be able to set it to whatever you want so long as it adheres to the PIV standards and specifications. At least from the YubiKey's perspective. We block this through the CardHolderUniqueId utility class in the C# SDK, but there's nothing preventing you from implementing calling the Get / Put object commands directly through our lower level interface.

I will also open a ticket in our internal system for consideration of fixing this in a future version of the SDK.

GregDomzalski avatar Jan 08 '24 13:01 GregDomzalski

closing

ghostidentity avatar May 14 '24 18:05 ghostidentity