Managing multiple PIV certificates

[mguaylam]

My org have multiple PIV certificates, migrating from RSA Secur ID to Yubikey. We are using YubiKey 5C NFC FIPS keys.

Already being the FIPS version I see quite a bit of limitations with the 5.4.3 firmware : no slot movement, deletion, etc. possible.

Another issue we are having is that the standard from the NIST does not seem to be build around the idea of having multiple PIVs. Altaugh, Windows seem's to handle it quite gracefully even being out of spec?

But some of our Windows environment only see the first 2 PIVs (slots 9a and 9d) and not the 2 others in 82 and 83. Could changing the Key History Object to c10102c20100 be the solution? ie. echo -n c10102c20100 | yubico-piv-tool -k -a write-object --id=0x5FC10C

I tried it but got :

N:\> echo -n c10102c20100 | "C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe" -k -v 15 -P=XXX -a write-object --id=0x5FC10C
DBG ykpiv.c:591 (ykpiv_connect): Connect reader 'Yubico YubiKey OTP+FIDO+CCID 0' matching 'Yubikey'.
DBG ykpiv.c:597 (ykpiv_connect): SCardConnect succeeded for 'Yubico YubiKey OTP+FIDO+CCID 0', protocol=2
DBG ykpiv.c:777 (ykpiv_translate_sw): SW_63c3
Now processing for action 'write-object'.
Authenticating since action 'write-object' needs that.
DBG ykpiv.c:753 (ykpiv_translate_sw): SW_ERR_SECURITY_STATUS
DBG ykpiv.c:1830 (_ykpiv_fetch_object): Failed to get data for object 5fc109
Enter management key: XXX

Successful application authentication.
Failed reading data
DBG ykpiv.c:346 (ykpiv_disconnect): Disconnect card #27182090.

What is SW_ERR_SECURITY_STATUS? I can't find documentation about this error code.

Thank you for your help.

[qpernil]

SW_ERR_SECURITY_STATUS is status code 0x6982 from the PIV application, meaning that an object cannot be read because PIN has not been verified. There are a few PIN-protected objects in PIV, 5fc109 being one of them. To get by that you need to add a verify-pin action before the write-object action (-P only specifies the pin value, it doesn't verify it against the card). The reason there is a verify-pin action is so that you have full control of when the pin is verified agains the card without specifying it's value multiple times. This can be needed for pin policy always (which by default is in effect for slot 9c) As for the reason that slot (5fc109) is read is because Yubico tools use that slot to store some metadata. In this usage of the tools the failure to read the slot actually doesn't matter.

The status codes can be found in ykpiv.h but are not otherwise documented in yubico-piv-tools, their meaning is specified by the PIV spec.

[qpernil]

The reason you get the final 'Failed reading data' is more unclear, when I try your command line (on macos) it works. Perhaps you are using an echo command (maybe built-in in your shell) that doesn't honor the -n option ? Maybe try with a file that you know contains no newlines and the -i option to yubico-piv-tool To claify: 'Failed reading data' indicates the tool failed reading the input data, which is expected to be hex-coded by default. Other formats can also be specified using the --format or -f options

[qpernil]

Object movement and deletion came in the 5.7 firmware. However, if you have the private keys somewhere else you can import and overwrite keys at will even with older firmware. The history object has no meaning to the YubiKey itself, so the effect of modifying it is entirely up to other software.