Skip to content

Improve prf encryption and large blob import#201

Open
JMarkstrom wants to merge 3 commits intomasterfrom
improve-prf-encryption-and-large-blob-import
Open

Improve prf encryption and large blob import#201
JMarkstrom wants to merge 3 commits intomasterfrom
improve-prf-encryption-and-large-blob-import

Conversation

@JMarkstrom
Copy link
Copy Markdown
Collaborator

@JMarkstrom JMarkstrom commented Apr 14, 2026

Add default parameter sets for FIDO2 blob and PRF cmdlets to auto-create supporting FIDO2 credential.

Add AutoCreate / AutoLookup default parameter sets to Import-YubiKeyFIDO2Blob, Export-YubiKeyFIDO2Blob, and Protect-YubiKeyFIDO2File so that users can round-trip blobs and encrypt files without manually specifying credentials or relying parties. Also isolate credential-resolution into dedicated FIDO2 sessions to prevent stale-session bugs.

Goal: Enable zero-configuration FIDO2 workflows — Import, Export, and Protect all "just work" with a single mandatory parameter, creating or reusing synthetic credentials on demand.

Details

  • Import-YubiKeyFIDO2Blob.cs:

    • Add AutoCreate default parameter set requiring only -LargeBlob
    • Auto-create or reuse a "blob-storage" credential (AutoCreateRpId / AutoCreateUsername constants)
    • Add -Force to AutoCreate set to suppress confirmation prompts
    • Move credential lookup, RP resolution, and credential creation to isolated sessions (Phase 1), then use a fresh session for assertion + blob operations (Phase 2)
    • Replace switch with if/else if branching; add SupportsShouldProcess and ConfirmImpact.High
    • Update XML documentation and examples

  • ExportYubiKeyFIDO2Blob.cs:

    • Add AutoLookup default parameter set requiring only -OutFile
    • Enumerate RPs to find "blob-storage" (case-insensitive), resolve its first credential, or throw with guidance to use Import-YubiKeyFIDO2Blob
    • Add OutFile to all three parameter sets; add AutoCreateRpId constant
    • Simplify BeginProcessing to always connect to FIDO2 (all sets need it)
    • Update XML documentation and examples

  • ProtectYubiKeyFIDO2File.cs:

    • Move AutoCreate credential lookup to an isolated session; create credential via New-YubiKeyFIDO2Credential if none exists
    • Move ByRelyingPartyID resolution to an isolated session
    • Use a fresh session for the assertion, not contaminated by credential creation
    • Update doc block wording ("creating or reusing")

@JMarkstrom
Add "synthetic"/ "mock" FIDO2 credential creation.
66b772d
@JMarkstrom
Auto-create FIDO2 credential in Protect-YubiKeyFIDO2File when none is…
3ef5bfc 
… supplied

Change the default parameter set to "AutoCreate" so that running
Protect-YubiKeyFIDO2File without -Credential or -RelyingPartyID
automatically creates a synthetic credential (RP and username both
set to "prf-encryption") via New-YubiKeyFIDO2Credential.

Add a -Force switch to suppress the confirmation prompt during
auto-creation. Update XML doc examples to cover the new default
flow.
@JMarkstrom
Add default parameter sets for FIDO2 blob and PRF cmdlets to auto-cre…
a08eaeb 
…ate supporting FIDO2 credential.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JMarkstrom