Unable to create CSR on Yubikey 4 firmware 4.3.1

[raunn]

I just got a few Yubikey 4's with a newer firmware, v4.3.1. When I try to enroll, it errors with "Unable to create CSR". Previous batch of Yubikey 4's with firmware v4.2.8 work fine.

[raunn]

Sorry, the exact error is "Unable to generate a CSR"

[LordMike]

Hi @raunn

Could you try the latest 0.3.3.5 build? We've observed that error and made this build internally to find out what happened. But it turns out that this exact error is dependent on some condition, because it didn't reappear the second time around. But perhaps you can catch the text.

It all comes down to the Yubico piv tool not returning a successful exit code.

[raunn]

I know what it was. I was trying to use a 4-digit pin to enroll the fresh key. The new firmware requires 6 digits. I could tell because the PIV Tool wouldn't let me initialize with 4 digits and gave me an error telling me it needed 6+ digits.

Using ES 0.3.3.6, I was able to successfully provision a Yubikey 4 with firmware 4.3.1 with a 6-digit PIN.

Please note, if I tried 4 digits, the error was: Pin verification failed, 2 tries left before pin is blocked.

Even though the key was previously uninitialized. If possible, it would probably be better to have the error be related to PIN length. Not sure if the piv tool call you are making returns a related error, you might have to just know that they changed the requirement at a certain version number. Not sure which, but somewhere between 4.2.8 and 4.3.1.

Thank you very much for the prompt response, and for all of your work on this project. This has been a really great tool to have. and makes provisioning a snap!

[LordMike]

Nice that the debug info worked. (Hadn't actually tested it :)). Reg. info, this is probably all we can get. I don't think we even have a requirement of PIN contents, beyond being 1+ character.. Do you know if it's a specific firmware version? (then we could make an exception for it, and prevent the error in the first case).

In our company, our default PIN if we don't let the user chose it, is 123456, so we'd never encounter this anyways :|.

Ps. you say "digits", but a PIN doesn't actually have to be number. Just fyi.

[raunn]

Right you are, should have said "characters" or similar.

No, I'm afraid I don't know the exact version or have any real details on the change. I've submitted a ticket to Yubico to see if they will tell us, I'll let you know what I find.

[raunn]

Ok, Yubico reports that the PIN policy was changed in 4.3.1. So you will have to enforce a minimum of 6 characters if the firmware is 4.3.1 or above.

Unfortunately they also said that the internal firmware changes are not published anywhere, so we will still need to go through support if we see future issues.

[mike-csis]

Well damn. Do you know what the previous requirement was?

[raunn]

It was 4 characters in 4.3.0 and before.

Alternatively you could just have ES always require 6 characters. It's arguably the more secure choice, and seems accepted as industry best practice.

[LordMike]

Well. Yes. On the other hand though, you only have three attempts (by default), so anything slightly complex is secure.

And you can already go alphanumerical, making it way better than your credit cards. :)

Sent from my iPhone

On 22 Sep 2016, at 18.17, Raun Nohavitza notifications@github.com wrote:

It was 4 characters in 4.3.0 and before.

Alternatively you could just have ES always require 6 characters. It's arguably the more secure choice, and seems accepted as industry best practice.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[mike-csis]

I've just tested on my Yubikey 4, firmware 4.2.7, and it accepted a 1-char PIN. Are you certain about the 4-char requirement?

[raunn]

No I'm not sure, we had been using 4 before so I guess I made an incorrect assumption. I've asked Yubico what the previous minimum length was, and will report back.

[raunn]

Per Yubico support:

PIN requirement was previously 4-8 characters and is now 6-8 characters (can be alphanumeric unless you're using it to pair with macOS Sierra).

Best Regards,
Chris
Yubico Support

[mike-csis]

@raunn I'm in touch with Chris directly. I'll take it from there. Thanks for bringing this to our attention :)

[SueHeim]

Hi all, Just to be clear, macOS Sierra is now enforcing numeric PINS, so we at Yubico are recommending that you create numeric PINS to allow for cross-platform compatibility. If you are never ever going to use your device on a macOS system, you can use an alphanumeric PIN, but I would recommend sticking to a numeric just in case. (Because you never know!!) ...sue Info Dev Manager

[raunn]

Thanks Sue, good to know - we are a running a mixed environment here. All PINs numeric so far, so we should be good.