refactor: FIDO2 Credential Management Authentication, ApplicationSession

Yubico.YubiKey/src/Yubico/YubiKey/ApplicationSession.cs

@@ -30,9 +30,13 @@ public abstract class ApplicationSession : IDisposable
     {
         /// <summary>
         /// The object that represents the connection to the YubiKey. Most
-        /// applications will ignore this, but it can be used to call Commands
+        /// applications will ignore this, but it can be used to issue commands
         /// directly.
         /// </summary>
+        /// <remarks> This property gives you direct access to the existing connection to the YubiKey using the
+        /// <see cref="IYubiKeyConnection"/> interface. To send your own commands, call the
+        /// <see cref="IYubiKeyConnection.SendCommand{TResponse}"/>
+        /// </remarks>
         public IYubiKeyConnection Connection { get; protected set; }
 
         /// <summary>

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/CredentialManagementCommand.cs

@@ -159,15 +159,11 @@ protected CredentialManagementCommand()
         /// <param name="authProtocol">
         /// The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public CredentialManagementCommand(
             int subCommand,
             byte[]? subCommandParams,
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
         {
             if (authProtocol is null)
             {
@@ -189,9 +185,7 @@ public CredentialManagementCommand(
 
             // The pinUvAuthToken is an encrypted value, so there's no need to
             // overwrite the array.
-            byte[] authParam = decryptAuthToken
-                ? authProtocol.AuthenticateUsingPinToken(pinUvAuthToken.ToArray(), message)
-                : authProtocol.Authenticate(pinUvAuthToken.ToArray(), message);
+            byte[] authParam = authProtocol.AuthenticateUsingPinToken(pinUvAuthToken, message);
 
             PinUvAuthParam = authParam;
             PinUvAuthProtocol = authProtocol.Protocol;
@@ -215,6 +209,35 @@ public CredentialManagementCommand(
             PinUvAuthParam = null;
         }
 
+        /// <summary>
+        /// Constructs a new instance of <see cref="CredentialManagementCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="subCommand">
+        /// The byte representing the subcommand to execute.
+        /// </param>
+        /// <param name="subCommandParams">
+        /// The parameters needed in order to execute the subcommand. Not all
+        /// subcommands have parameters, so this can be null.
+        /// </param>
+        /// <param name="pinUvAuthParam">
+        /// The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        /// The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public CredentialManagementCommand(
+            int subCommand,
+            byte[]? subCommandParams,
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+        {
+            SubCommand = subCommand;
+            _encodedParams = subCommandParams;
+            _protocol = (int)protocol;
+            PinUvAuthParam = pinUvAuthParam;
+            PinUvAuthProtocol = protocol;
+        }
+
         /// <summary>
         /// Creates a well-formed CommandApdu to send to the YubiKey.
         /// </summary>

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateCredentialsBeginCommand.cs

@@ -69,23 +69,58 @@ private EnumerateCredentialsBeginCommand()
         /// <param name="authProtocol">
         ///     The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public EnumerateCredentialsBeginCommand(
             RelyingParty relyingParty,
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
             : base(new CredentialManagementCommand(
-            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthToken, authProtocol, decryptAuthToken))
+            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthToken, authProtocol))
+        {
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateCredentialsBeginCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="relyingParty">
+        ///     The relying party for which the credential enumeration is requested.
+        /// </param>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateCredentialsBeginCommand(
+            RelyingParty relyingParty,
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(
+            SubCmdEnumerateCredsBegin, EncodeParams(relyingParty), pinUvAuthParam, protocol))
         {
         }
 
         /// <inheritdoc />
         public EnumerateCredentialsBeginResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateCredentialsBeginResponse(responseApdu);
 
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of the subcommand byte plus encoded parameters.
+        /// </summary>
+        /// <param name="relyingParty">
+        /// The relying party for which the credential enumeration is requested.
+        /// </param>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage(RelyingParty relyingParty)
+        {
+            byte[] encodedParams = EncodeParams(relyingParty);
+            byte[] message = new byte[1 + encodedParams.Length];
+            message[0] = SubCmdEnumerateCredsBegin;
+            encodedParams.CopyTo(message, 1);
+            return message;
+        }
+
         // This method encodes the parameters. For
         // EnumerateCredentialsBeginCommand, the parameters consist of only the
         // rpIdHash, and it is encoded as

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateCredentialsGetNextCommand.cs

@@ -12,7 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Fido2.PinProtocols;
 
 namespace Yubico.YubiKey.Fido2.Commands
 {
@@ -56,6 +58,22 @@ public EnumerateCredentialsGetNextCommand()
         {
         }
 
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateCredentialsGetNextCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateCredentialsGetNextCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdGetEnumerateCredsGetNext, null, pinUvAuthParam, protocol))
+        {
+        }
+
         /// <inheritdoc />
         public EnumerateCredentialsGetNextResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateCredentialsGetNextResponse(responseApdu);

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateRpsBeginCommand.cs

@@ -60,19 +60,42 @@ private EnumerateRpsBeginCommand()
         /// <param name="authProtocol">
         ///     The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public EnumerateRpsBeginCommand(
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
-            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthToken, authProtocol, decryptAuthToken))
+            PinUvAuthProtocolBase authProtocol)
+            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthToken, authProtocol))
+        {
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="EnumerateRpsBeginCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public EnumerateRpsBeginCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdEnumerateRpsBegin, null, pinUvAuthParam, protocol))
         {
         }
 
         /// <inheritdoc />
         public EnumerateRpsBeginResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new EnumerateRpsBeginResponse(responseApdu);
+
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of only the subcommand byte.
+        /// </summary>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage()
+        {
+            return new byte[] { SubCmdEnumerateRpsBegin };
+        }
     }
 }

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/EnumerateRpsBeginResponse.cs

@@ -72,9 +72,9 @@ public EnumerateRpsBeginResponse(ResponseApdu responseApdu)
         {
             var credentialManagementData = _response.GetData();
 
-            if (!(credentialManagementData.RelyingParty is null)
-                && !(credentialManagementData.RelyingPartyIdHash is null)
-                && !(credentialManagementData.TotalRelyingPartyCount is null))
+            if (credentialManagementData.RelyingParty is not null
+                && credentialManagementData.RelyingPartyIdHash is not null
+                && credentialManagementData.TotalRelyingPartyCount is not null)
             {
                 if (credentialManagementData.RelyingParty.IsMatchingRelyingPartyId(credentialManagementData.RelyingPartyIdHash.Value))
                 {

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/GetCredentialMetadataCommand.cs

@@ -51,26 +51,48 @@ private GetCredentialMetadataCommand()
         /// <param name="authProtocol">
         /// The Auth Protocol used to build the Auth Token.
         /// </param>
-        /// <param name="decryptAuthToken">If true, the <c>pinUvAuthToken</c> is assumed encrypted,
-        /// and thus the SDK will attempt to decrypt it before passing it to the YubiKey.
-        /// If false, no decryption will be attempted.</param>
         public GetCredentialMetadataCommand(
             ReadOnlyMemory<byte> pinUvAuthToken,
-            PinUvAuthProtocolBase authProtocol,
-            bool decryptAuthToken = true)
+            PinUvAuthProtocolBase authProtocol)
             : base(
                 new CredentialManagementCommand(
                     SubCmdGetMetadata,
                     null,
                     pinUvAuthToken,
-                    authProtocol,
-                    decryptAuthToken))
+                    authProtocol))
+        {
+
+        }
+
+        /// <summary>
+        /// Constructs a new instance of <see cref="GetCredentialMetadataCommand"/> with a pre-computed PIN/UV auth param.
+        /// </summary>
+        /// <param name="pinUvAuthParam">
+        ///     The pre-computed PIN/UV auth param for this command.
+        /// </param>
+        /// <param name="protocol">
+        ///     The PIN/UV protocol version used to compute the auth param.
+        /// </param>
+        public GetCredentialMetadataCommand(
+            ReadOnlyMemory<byte> pinUvAuthParam,
+            PinUvAuthProtocol protocol)
+            : base(new CredentialManagementCommand(SubCmdGetMetadata, null, pinUvAuthParam, protocol))
         {
-
         }
 
         /// <inheritdoc />
         public GetCredentialMetadataResponse CreateResponseForApdu(ResponseApdu responseApdu) =>
             new GetCredentialMetadataResponse(responseApdu);
+
+        /// <summary>
+        /// Creates the authentication message for this command, consisting of only the subcommand byte.
+        /// </summary>
+        /// <returns>
+        /// The message to be used for PIN/UV authentication.
+        /// </returns>
+        public static byte[] GetAuthenticationMessage()
+        {
+            return new byte[] { SubCmdGetMetadata };
+        }
     }
 }

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Fido2Session.BioEnrollment.cs

@@ -41,7 +41,7 @@ public sealed partial class Fido2Session
         /// </returns>
         public BioModality GetBioModality()
         {
-            _log.LogInformation("Get BioModality.");
+            Logger.LogInformation("Get BioModality.");
 
             var cmd = new GetBioModalityCommand();
             var response = Connection.SendCommand(cmd);
@@ -73,7 +73,7 @@ public BioModality GetBioModality()
         /// </exception>
         public FingerprintSensorInfo GetFingerprintSensorInfo()
         {
-            _log.LogInformation("Get fingerprint sensor info.");
+            Logger.LogInformation("Get fingerprint sensor info.");
 
             var cmd = new GetFingerprintSensorInfoCommand();
             var rsp = Connection.SendCommand(cmd);
@@ -229,7 +229,7 @@ public IReadOnlyList<TemplateInfo> EnumerateBioEnrollments()
         /// </exception>
         public TemplateInfo EnrollFingerprint(string? friendlyName, int? timeoutMilliseconds)
         {
-            _log.LogInformation("Try to enroll a fingerprint.");
+            Logger.LogInformation("Try to enroll a fingerprint.");
 
             var keyCollector = EnsureKeyCollector();
 

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Fido2Session.Config.cs

@@ -70,7 +70,7 @@ public sealed partial class Fido2Session
         /// </exception>
         public bool TryEnableEnterpriseAttestation()
         {
-            _log.LogInformation("Try to EnableEnterpriseAttestation.");
+            Logger.LogInformation("Try to EnableEnterpriseAttestation.");
 
             var epValue = AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep);
 
@@ -162,7 +162,7 @@ public bool TryEnableEnterpriseAttestation()
         /// </exception>
         public bool TryToggleAlwaysUv()
         {
-            _log.LogInformation("Try to ToggleAlwaysUv.");
+            Logger.LogInformation("Try to ToggleAlwaysUv.");
 
             var alwaysUvValue = AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.alwaysUv);
             if (alwaysUvValue != OptionValue.True && alwaysUvValue != OptionValue.False)
@@ -322,7 +322,7 @@ public bool TrySetPinConfig(
             IReadOnlyList<string>? relyingPartyIds = null,
             bool? forceChangePin = null)
         {
-            _log.LogInformation("Try to set the PIN config (setMinPINLength).");
+            Logger.LogInformation("Try to set the PIN config (setMinPINLength).");
 
             var setMinPinValue = AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.setMinPINLength);