Refactor encrypted field decryption and add AuthenticatorCredStoreState to Fido2Session

This commit refactors the CTAP 2.2/2.3 encrypted field decryption logic
and exposes credential store state at the session level for easier access.

Refactoring (AuthenticatorInfo.cs):
- Extracted common decryption logic into DecryptEncryptedField() helper method
- Eliminated code duplication between GetIdentifier() and GetCredStoreState()
- Both methods now delegate to the shared helper with field-specific HKDF info
- Added comprehensive documentation to the helper method explaining the
  CTAP 2.2/2.3 decryption scheme (HKDF-SHA-256 + AES-128-CBC)
- Reduced code from ~60 lines to ~25 lines while maintaining identical behavior

New Property (Fido2Session.cs):
- Added AuthenticatorCredStoreState property that mirrors AuthenticatorIdentifier
- Provides convenient session-level access to credential store state
- Automatically manages persistent PIN/UV auth token retrieval
- Enables easy detection of credential store changes across sessions/resets
- Follows the established pattern for encrypted field access

New Test (Fido2Tests.cs):
- Added Session_AuthenticatorCredStoreState_Returns_SameCredStoreState()
- Mirrors the existing AuthenticatorIdentifier test pattern
- Verifies credential store state consistency across sessions
- Requires YubiKey firmware 5.8.0+ for execution

Benefits:
- DRY principle: Single source of truth for encrypted field decryption
- Maintainability: Future encrypted fields can use the same helper
- Consistency: Both identifier and cred store state use identical patterns
- Simplicity: Session-level properties hide PPUAT management complexity
- API parity: .NET SDK now matches Java SDK feature set

The refactoring maintains 100% backward compatibility - all existing
code continues to work without changes.

Author: DennisDyallo

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/AuthenticatorInfo.cs

@@ -597,30 +597,8 @@ List<PinUvAuthProtocol> ParsePinUvAuthProtocols(CborMap<int> cborMap)
         /// <returns>
         /// The decrypted identifier as a read-only memory block of bytes, or null if the encrypted identifier is not set.
         /// </returns>
-        public ReadOnlyMemory<byte>? GetIdentifier(ReadOnlyMemory<byte> persistentUvAuthToken)
-        {
-            if (EncIdentifier is null)
-            {
-                return null;
-            }
-
-            if (persistentUvAuthToken.Length == 0)
-            {
-                return null;
-            }
-
-            Span<byte> iv = stackalloc byte[16];
-            Span<byte> ct = stackalloc byte[16];
-            Span<byte> salt = stackalloc byte[32];
-            EncIdentifier.Value.Span[..16].CopyTo(iv);
-            EncIdentifier.Value.Span[16..].CopyTo(ct);
-
-            var key = HkdfUtilities.DeriveKey(persistentUvAuthToken.Span, salt, "encIdentifier"u8, 16);
-            var decryptedIdentifier = AesUtilities.AesCbcDecrypt(key.Span, iv, ct);
-            CryptographicOperations.ZeroMemory(key.Span);
-
-            return decryptedIdentifier;
-        }
+        public ReadOnlyMemory<byte>? GetIdentifier(ReadOnlyMemory<byte> persistentUvAuthToken) =>
+            DecryptEncryptedField(EncIdentifier, persistentUvAuthToken, "encIdentifier"u8);
 
         /// <summary>
         /// Retrieves the credential store state derived from the encrypted credential store state, using the provided persistent UV authentication token.
@@ -631,9 +609,38 @@ List<PinUvAuthProtocol> ParsePinUvAuthProtocols(CborMap<int> cborMap)
         /// <returns>
         /// The decrypted credential store state as a read-only memory block of bytes, or null if the encrypted credential store state is not set.
         /// </returns>
-        public ReadOnlyMemory<byte>? GetCredStoreState(ReadOnlyMemory<byte> persistentPinUvAuthToken)
+        public ReadOnlyMemory<byte>? GetCredStoreState(ReadOnlyMemory<byte> persistentPinUvAuthToken) =>
+            DecryptEncryptedField(EncCredStoreState, persistentPinUvAuthToken, "encCredStoreState"u8);
+
+        /// <summary>
+        /// Decrypts an encrypted field using the provided persistent PIN/UV authentication token.
+        /// </summary>
+        /// <remarks>
+        /// This method implements the CTAP 2.2/2.3 decryption scheme for encrypted authenticator fields:
+        /// - Uses HKDF-SHA-256 to derive a 16-byte decryption key from the persistent token
+        /// - Salt: 32 bytes of zeros
+        /// - Info parameter: Field-specific context string (e.g., "encIdentifier", "encCredStoreState")
+        /// - Decrypts using AES-128-CBC
+        /// - Encrypted data format: 16-byte IV + 16-byte ciphertext
+        /// </remarks>
+        /// <param name="encryptedData">
+        /// The encrypted field data (32 bytes: 16-byte IV + 16-byte ciphertext), or null if not available.
+        /// </param>
+        /// <param name="persistentPinUvAuthToken">
+        /// The persistent PIN/UV authentication token used to derive the decryption key.
+        /// </param>
+        /// <param name="hkdfInfo">
+        /// The HKDF info parameter (context string) specific to the field being decrypted.
+        /// </param>
+        /// <returns>
+        /// The decrypted plaintext (16 bytes), or null if the encrypted data is not available or the token is empty.
+        /// </returns>
+        private static ReadOnlyMemory<byte>? DecryptEncryptedField(
+            ReadOnlyMemory<byte>? encryptedData,
+            ReadOnlyMemory<byte> persistentPinUvAuthToken,
+            ReadOnlySpan<byte> hkdfInfo)
         {
-            if (EncCredStoreState is null)
+            if (encryptedData is null)
             {
                 return null;
             }
@@ -646,14 +653,14 @@ List<PinUvAuthProtocol> ParsePinUvAuthProtocols(CborMap<int> cborMap)
             Span<byte> iv = stackalloc byte[16];
             Span<byte> ct = stackalloc byte[16];
             Span<byte> salt = stackalloc byte[32];
-            EncCredStoreState.Value.Span[..16].CopyTo(iv);
-            EncCredStoreState.Value.Span[16..].CopyTo(ct);
+            encryptedData.Value.Span[..16].CopyTo(iv);
+            encryptedData.Value.Span[16..].CopyTo(ct);
 
-            var key = HkdfUtilities.DeriveKey(persistentPinUvAuthToken.Span, salt, "encCredStoreState"u8, 16);
-            var decryptedCredStoreState = AesUtilities.AesCbcDecrypt(key.Span, iv, ct);
+            var key = HkdfUtilities.DeriveKey(persistentPinUvAuthToken.Span, salt, hkdfInfo, 16);
+            var decrypted = AesUtilities.AesCbcDecrypt(key.Span, iv, ct);
             CryptographicOperations.ZeroMemory(key.Span);
 
-            return decryptedCredStoreState;
+            return decrypted;
         }
 
         /// <summary>

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Fido2Session.cs

@@ -153,6 +153,39 @@ public ReadOnlyMemory<byte>? AuthenticatorIdentifier
             }
         }
 
+        /// <summary>
+        /// Retrieves and decrypts the authenticator's credential store state.
+        /// </summary>
+        /// <remarks>
+        /// <para>
+        /// This method leverages the <c>encCredStoreState</c> value obtained from the authenticator's
+        /// <c>authenticatorGetInfo</c> response. The <c>encCredStoreState</c> is an encrypted byte string
+        /// that platforms can use to detect credential store changes across resets.
+        /// </para>
+        /// <para>
+        /// A valid and active persistent PIN/UV Authentication Token (<c>persistentPinUvAuthToken</c>) is required to decrypt the state.
+        /// The authenticator must also support and return the `encCredStoreState` in its `getInfo` response (YubiKeys v5.8.0 and later).
+        /// </para>
+        /// <para>
+        /// By comparing the credential store state before and after operations (or across sessions), platforms can detect
+        /// when credentials have been added, removed, or when the authenticator has been reset.
+        /// </para>
+        /// </remarks>
+        /// <returns>
+        /// A byte array containing the decrypted 128-bit (16-byte) credential store state.
+        /// Returns null if the state cannot be decrypted (e.g., if the PPUAT is invalid or the <c>encCredStoreState</c> is missing).
+        /// </returns>
+        public ReadOnlyMemory<byte>? AuthenticatorCredStoreState
+        {
+            get
+            {
+                var ppuat = GetReadOnlyCredMgmtToken();
+                return ppuat.HasValue
+                    ? AuthenticatorInfo.GetCredStoreState(ppuat.Value)
+                    : null;
+            }
+        }
+
         /// <summary>
         /// Creates an instance of <see cref="Fido2Session" />, the object that represents the FIDO2 application on the
         /// YubiKey.

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Fido2/Fido2Tests.cs

@@ -37,6 +37,27 @@ public void Session_AuthenticatorIdentifier_Returns_SameIdentifier()
         }
     }
 
+    [SkippableFact(typeof(DeviceNotFoundException))]
+    public void Session_AuthenticatorCredStoreState_Returns_SameCredStoreState()
+    {
+        ReadOnlyMemory<byte>? credStoreState1;
+
+        // First run
+        using (var session = GetSession(minFw: FirmwareVersion.V5_8_0))
+        {
+            credStoreState1 = session.AuthenticatorCredStoreState;
+            Assert.True(credStoreState1.HasValue);
+            Assert.NotEmpty(credStoreState1.Value.ToArray());
+        }
+
+        // Second run
+        using (var session = GetSession())
+        {
+            var credStoreState2 = session.AuthenticatorCredStoreState;
+            Assert.True(credStoreState2!.Value.Span.SequenceEqual(credStoreState1.Value.Span));
+        }
+    }
+
     [SkippableFact(typeof(DeviceNotFoundException))]
     public void AuthenticatorInfo_GetIdentifier_BothRuns_Returns_SameIdentifier()
     {