With the help of Yubico support, I found out that there's a problem with using the reset password. When using the unblock command of gpg2's card-edit, I can append an arbitrary string to the reset password and it will still be accepted. After that, the new password entered is not accepted by the verify command. The Yubico support team gave me the following example:
I think that this happens because when you reset (/change/unblock) the PIN
on the card, you send in a message consisting of the current PIN,
juxtaposed with the new PIN. The applet knows the total length of current +
new and the length of current, so it figures out the length of new as total
current. It checks the PIN and if it matches it changes it with the new
one.
Now if we take the case he's discussing
current PIN = 123456
new desired PIN = abcdef
when prompted for the PINs, the user types the following
current PIN = 123456xyz
new desired PIN = abcdef
what gpg sends to the applet is 123456xyzabcdef. This would then be parsed
to
current PIN = 123456 (first 6 bytes, the applet knows this)
new desired PIN = xyzabcdef (the remainder)
resulting in a successful match of the current PIN, but in an incorrect new
PIN.
Expected behavior
I would expect the yubikey to tell me that my reset code is false, because I did not supply it correctly. I would also expect the new password to be set to what I entered (and confirmed) in the new password window.
Extra info
For completeness: I'm using a Yubikey Neo with the following version of GPG2:
gpg2 --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
With the help of Yubico support, I found out that there's a problem with using the reset password. When using the unblock command of gpg2's card-edit, I can append an arbitrary string to the reset password and it will still be accepted. After that, the new password entered is not accepted by the verify command. The Yubico support team gave me the following example:
Expected behavior
I would expect the yubikey to tell me that my reset code is false, because I did not supply it correctly. I would also expect the new password to be set to what I entered (and confirmed) in the new password window.
Extra info
For completeness: I'm using a Yubikey Neo with the following version of GPG2: