Open tmb opened 2 years ago
FiloSottile
commented
2 years ago The attestation certificate is necessary to extract the PIN policy of the slot. If there is a way to obtain it for imported keys, you should open an issue or PR with piv-go. If not, the best we can do is hardcode it, and it's unclear to what value.
Note that imported keys are not officially supported.
joeyberkovitz
commented
2 years ago @FiloSottile - would you be open to a command line flag to override the PIN policy? That way if the user imported a key, or is using an old Yubikey where piv-go is forced to assume PINPolicyAlways, the user can specify what the actual PIN policy is.
Based on a quick look through, the only change would be getting the flag value into main.go:signers() under piv.KeyAuth
If you think that's reasonable, I'd be happy to submit a PR for that
Hey folks,
I generated an ECDSA 256 key + certificate locally and added them to my Yubikey. Now, when trying to use
yubikey-agent, I get this error:failed to prepare private key: get attestation cert: data object or application not foundI assume this has something to do with my key not being generated on-device. Is there any way to get around this?
Thanks.