Merge pull request #224 from Yubico/release/1.13.1

Release 1.13.1

Author: DennisDyallo

Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs

@@ -475,8 +475,14 @@
   <data name="Ctap2UnknownAttestationFormat" xml:space="preserve">
     <value>The attestation was provided in an unknown format and cannot be parsed.</value>
   </data>
+  <data name="FailedCompressingCertificate" xml:space="preserve">
+    <value>Failed to compress certificate.</value>
+  </data>
+  <data name="FailedDecompressingCertificate" xml:space="preserve">
+    <value>Failed to decompress certificate.</value>
+  </data>
   <data name="FailedParsingCertificate" xml:space="preserve">
-    <value>A certificate was not able to parsed.</value>
+    <value>Failed to parse certificate data.</value>
   </data>
   <data name="InvalidOtpChallengeResponseAlgorithm" xml:space="preserve">
     <value>The challenge / response algorithm specified is invalid.</value>

Yubico.YubiKey/src/Resources/ExceptionMessages.resx

@@ -70,7 +70,7 @@ public static IPrivateKey CreatePrivateKey(ReadOnlyMemory<byte> pkcs8EncodedKey)
     public static Curve25519PrivateKey CreateCurve25519Key(ReadOnlyMemory<byte> pkcs8EncodedKey) =>
         Curve25519PrivateKey.CreateFromPkcs8(pkcs8EncodedKey);
 
-    public static (byte[], KeyType) GetCurve25519PrivateKeyData(ReadOnlyMemory<byte> pkcs8EncodedKey)
+    public static (byte[] privateKey, KeyType keyType) GetCurve25519PrivateKeyData(ReadOnlyMemory<byte> pkcs8EncodedKey)
     {
         var reader = new AsnReader(pkcs8EncodedKey, AsnEncodingRules.DER);
         var seqPrivateKeyInfo = reader.ReadSequence();

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnPrivateKeyDecoder.cs

@@ -84,9 +84,9 @@ public static Span<byte> GetIntegerBytes(Span<byte> value)
     /// <exception cref="CryptographicException">If the private key does not meet the bit clamping requirements.</exception>
     public static void VerifyX25519PrivateKey(ReadOnlySpan<byte> x25519PrivateKey)
     {
-        if ((x25519PrivateKey[0] & 0b111) != 0 || // Check that the 3 least significant bits are 0
-            (x25519PrivateKey[31] & 0x80) != 0 || // Check most significant bit is 0
-            (x25519PrivateKey[31] & 0x40) != 0x40) // Check second-most significant bit is 1
+        if ((x25519PrivateKey[0] & 0b111) != 0 || // Check that the 3 least significant bits are set
+            (x25519PrivateKey[31] & 0x80) != 0 || // Check most significant bit is set
+            (x25519PrivateKey[31] & 0x40) != 0x40) // Check second most significant bit not set
         {
             throw new CryptographicException("Invalid X25519 private key: improper bit clamping");
         }

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnUtilities.cs

@@ -68,8 +68,6 @@ public override byte[] ExportPkcs8PrivateKey()
     /// </remarks>
     public override void Clear() => CryptographicOperations.ZeroMemory(_privateKey.Span);
 
-
-
     /// <summary>
     /// Creates an instance of <see cref="Curve25519PrivateKey"/> from a PKCS#8
     /// DER-encoded private key.

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/Curve25519PrivateKey.cs

@@ -188,7 +188,7 @@ public BioEnrollmentCommand(
             // The pinUvAuthToken is an encrypted value, so there's no need to
             // overwrite the array.
             byte[] authParam = authProtocol.AuthenticateUsingPinToken(pinUvAuthToken.ToArray(), message);
-            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam, 0, 16);
+            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam);
             PinUvAuthProtocol = authProtocol.Protocol;
         }
 

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/BioEnrollmentCommand.cs

@@ -180,7 +180,7 @@ public ConfigCommand(
             // The pinUvAuthToken is an encrypted value, so there's no need to
             // overwrite the array.
             byte[] authParam = authProtocol.AuthenticateUsingPinToken(pinUvAuthToken.ToArray(), message);
-            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam, 0, 16);
+            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam);
             PinUvAuthProtocol = authProtocol.Protocol;
         }
 

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/ConfigCommand.cs

@@ -184,7 +184,7 @@ public CredentialManagementCommand(
             // The pinUvAuthToken is an encrypted value, so there's no need to
             // overwrite the array.
             byte[] authParam = authProtocol.AuthenticateUsingPinToken(pinUvAuthToken.ToArray(), message);
-            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam, 0, 16);
+            PinUvAuthParam = new ReadOnlyMemory<byte>(authParam);
             PinUvAuthProtocol = authProtocol.Protocol;
         }
 

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/CredentialManagementCommand.cs

@@ -61,6 +61,36 @@ public FirmwareVersion(byte major, byte minor = 0, byte patch = 0)
             Minor = minor;
             Patch = patch;
         }
+        
+        /// <summary>
+        /// Parse a string of the form "major.minor.patch"
+        /// </summary>
+        /// <param name="versionString"></param>
+        /// <returns>Returns a FirmwareVersion instance</returns>
+        /// <exception cref="ArgumentNullException"></exception>
+        /// <exception cref="ArgumentException"></exception>
+        public static FirmwareVersion Parse(string versionString)
+        {
+            if (versionString is null)
+            {
+                throw new ArgumentNullException(nameof(versionString));
+            }
+            
+            string[] parts = versionString.Split('.');
+            if (parts.Length != 3)
+            {
+                throw new ArgumentException("Must include major.minor.patch", nameof(versionString));
+            }
+            
+            if (!byte.TryParse(parts[0], out byte major) ||
+                !byte.TryParse(parts[1], out byte minor) || 
+                !byte.TryParse(parts[2], out byte patch))
+            {
+                throw new ArgumentException("Major, minor and patch must be valid numbers", nameof(versionString));
+            }
+            
+            return new FirmwareVersion(major, minor, patch);
+        }
 
         public static bool operator >(FirmwareVersion left, FirmwareVersion right)
         {

Yubico.YubiKey/src/Yubico/YubiKey/FirmwareVersion.cs

@@ -14,13 +14,14 @@
 
 using System;
 using System.Globalization;
+using System.IO;
+using System.IO.Compression;
 using System.Security;
 using System.Security.Cryptography.X509Certificates;
 using Yubico.Core.Tlv;
 using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Piv.Commands;
 using Yubico.YubiKey.Piv.Converters;
-using static Yubico.YubiKey.Cryptography.KeyDefinitions;
 
 namespace Yubico.YubiKey.Piv
 {
@@ -29,9 +30,19 @@ namespace Yubico.YubiKey.Piv
     // certificates associated with the private keys.
     public sealed partial class PivSession : IDisposable
     {
-        private const int PivCompressionTag = 0x71;
+        private const int PivCertInfoTag = 0x71;
         private const int PivLrcTag = 0xFE;
 
+        /// <summary>
+        /// Indicates the certificate is not compressed
+        /// </summary>
+        private const byte UncompressedCert = 0;
+        
+        /// <summary>
+        /// Indicates the certificate is compressed
+        /// </summary>
+        private const byte CompressedCert = 1;
+        
         [Obsolete("Usage of PivEccPublic/PivEccPrivateKey is deprecated. Use IPublicKey, IPrivateKey instead", false)]
         public PivPublicKey GenerateKeyPair(
             byte slotNumber,
@@ -452,6 +463,9 @@ public void ImportPrivateKey(
         /// <param name="certificate">
         /// The certificate to import into the YubiKey.
         /// </param>
+        /// <param name="compress">
+        /// If true the certificate will be compressed before being stored on the YubiKey.
+        /// </param>
         /// <exception cref="ArgumentNullException">
         /// The <c>certificate</c> argument is <c>null</c>.
         /// </exception>
@@ -470,7 +484,7 @@ public void ImportPrivateKey(
         /// Mutual authentication was performed and the YubiKey was not
         /// authenticated.
         /// </exception>
-        public void ImportCertificate(byte slotNumber, X509Certificate2 certificate)
+        public void ImportCertificate(byte slotNumber, X509Certificate2 certificate, bool compress = false)
         {
             if (certificate is null)
             {
@@ -479,20 +493,35 @@ public void ImportCertificate(byte slotNumber, X509Certificate2 certificate)
 
             RefreshManagementKeyAuthentication();
 
-            var dataTag = GetCertDataTagFromSlotNumber(slotNumber);
-
+            byte certInfo = UncompressedCert; 
             byte[] certDer = certificate.GetRawCertData();
-            var tlvWriter = new TlvWriter();
+            if (compress)
+            {
+                certInfo = CompressedCert;
+                try
+                {
+                    certDer = Compress(certDer);
+                }
+                catch (Exception)
+                {
+                    throw new InvalidOperationException(
+                        string.Format(
+                            CultureInfo.CurrentCulture,
+                            ExceptionMessages.FailedCompressingCertificate));
+                }
+            }
 
+            var tlvWriter = new TlvWriter();
             using (tlvWriter.WriteNestedTlv(PivEncodingTag))
             {
                 tlvWriter.WriteValue(PivCertTag, certDer);
-                tlvWriter.WriteByte(PivCompressionTag, 0);
+                tlvWriter.WriteByte(PivCertInfoTag, certInfo);
                 tlvWriter.WriteValue(PivLrcTag, null);
             }
 
             byte[] encodedCert = tlvWriter.Encode();
 
+            var dataTag = GetCertDataTagFromSlotNumber(slotNumber);
             var command = new PutDataCommand((int)dataTag, encodedCert);
             var response = Connection.SendCommand(command);
             if (response.Status != ResponseStatus.Success)
@@ -546,22 +575,36 @@ public X509Certificate2 GetCertificate(byte slotNumber)
             var response = Connection.SendCommand(command);
             var encodedCertData = response.GetData();
 
-            var tlvReader = new TlvReader(encodedCertData);
+            var responseData = TlvObjects.UnpackValue(PivEncodingTag, encodedCertData.Span);
+            var certData = TlvObjects.DecodeDictionary(responseData.Span);
 
-            bool isValid = tlvReader.TryReadNestedTlv(out var nestedReader, PivEncodingTag);
-            if (isValid)
+            bool hasCertInfo = certData.TryGetValue(PivCertInfoTag, out var certInfo);
+            if (!certData.TryGetValue(PivCertTag, out var certBytes))
             {
-                isValid = nestedReader.TryReadValue(out var certData, PivCertTag);
-                if (isValid)
-                {
-                    return new X509Certificate2(certData.ToArray());
-                }
+                throw new InvalidOperationException(
+                    string.Format(
+                        CultureInfo.CurrentCulture,
+                        ExceptionMessages.FailedParsingCertificate));
             }
 
-            throw new InvalidOperationException(
-                string.Format(
-                    CultureInfo.CurrentCulture,
-                    ExceptionMessages.FailedParsingCertificate));
+            byte[] certBytesCopy = certBytes.ToArray();
+            bool isCompressed = hasCertInfo && certInfo.Length > 0 && certInfo.Span[0] == CompressedCert;
+            if (!isCompressed)
+            {
+                return new X509Certificate2(certBytesCopy);
+            }
+
+            try
+            {
+                return new X509Certificate2(Decompress(certBytesCopy));
+            }
+            catch (Exception)
+            {
+                throw new InvalidOperationException(
+                    string.Format(
+                        CultureInfo.CurrentCulture,
+                        ExceptionMessages.FailedDecompressingCertificate));
+            }
         }
 
         // There is a DataTag to use when calling PUT DATA. To put a cert onto
@@ -587,15 +630,36 @@ private static PivDataTag GetCertDataTagFromSlotNumber(byte slotNumber)
                         slotNumber)),
             };
         }
-        
+
         private void RefreshManagementKeyAuthentication()
         {
             if (ManagementKeyAuthenticated)
             {
                 return;
             }
-            
+
             AuthenticateManagementKey();
         }
+
+        static private byte[] Compress(byte[] data)
+        {
+            using var compressedStream = new MemoryStream();
+            using (var compressor = new GZipStream(compressedStream, CompressionLevel.Optimal))
+            {
+                compressor.Write(data, 0, data.Length);
+            }
+
+            return compressedStream.ToArray();
+        }
+
+        static private byte[] Decompress(byte[] data)
+        {
+            using var dataStream = new MemoryStream(data);
+            using var decompressor = new GZipStream(dataStream, CompressionMode.Decompress);
+            using var decompressedStream = new MemoryStream();
+            decompressor.CopyTo(decompressedStream);
+            
+            return decompressedStream.ToArray();
+        }
     }
 }