CHUID support ?

[ghostidentity]

Hello,

I want to know if the sdk has support to create chuid on the device ?

Thanks.

[DSBloom]

Check this out https://github.com/Yubico/Yubico.NET.SDK/issues/4

[GregDomzalski]

Thanks @DSBloom 😄

Yes - the documentation you're looking for is here:

• Object for representing / creating a CHUID: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.Objects.CardholderUniqueId.html
• Method for writing the CHUID: https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.Piv.PivSession.WriteObject.html

[ghostidentity]

Thank you ! I figured it out.

[ghostidentity]

I'd like to ask why the expiration date is set to constant 2030 ? The company will likely issue 1 yubikey for each employee which will have employment of more than 10 years ?

Will it trigger an issue of reading chuid value if the expiration date is expired ?

[GregDomzalski]

Thanks for sharing your code for others!

Well, that's a great question.

The short answer is: it looks like the original developer simply mimicked what our ykpiv C library does. Generally, when we were building out this .NET library, we relied heavily on the existing C library implementations' behavior as they tend to be what we consider the "reference" implementations.

So why does the C library do this? I don't know. I will reach out to our PIV experts and see if I can get an answer for you.

[ghostidentity]

Thank you, hopefully the SDK can be updated to allow expiration date to be updatable.

[GregDomzalski]

Hi - so I was able to follow up with the developer of the C ypkiv library where this behavior came from. The answer was essentially that, at the time, they saw people mostly caring about setting the unique ID part of the CHUID and not much else - so they picked the rest of the values so the caller would not need to compute things like the signature and CRC. At the time (this was a few years ago), 2030 seemed "far enough away" 😄

So, long story short, it seems like you should be able to set it to whatever you want so long as it adheres to the PIV standards and specifications. At least from the YubiKey's perspective. We block this through the CardHolderUniqueId utility class in the C# SDK, but there's nothing preventing you from implementing calling the Get / Put object commands directly through our lower level interface.

I will also open a ticket in our internal system for consideration of fixing this in a future version of the SDK.

[ghostidentity]

closing