Closed mistial-dev closed 3 years ago
There's a second issue with ykman in that the management slot also has metadata, including whether it is default.
def get_management_key_metadata(self) -> ManagementKeyMetadata:
require_version(self.version, (5, 3, 0))
data = Tlv.parse_dict(
self.protocol.send_apdu(0, INS_GET_METADATA, 0, SLOT_CARD_MANAGEMENT)
)
policy = data[TAG_METADATA_POLICY]
pp.pprint(policy)
return ManagementKeyMetadata(
MANAGEMENT_KEY_TYPE(data.get(TAG_METADATA_ALGO, b"\x03")[0]),
data[TAG_METADATA_IS_DEFAULT] != b"\0",
TOUCH_POLICY(policy[INDEX_TOUCH_POLICY]),
)
Commit 9429de8 adds a flag for whether or not the management key is default, and clears it when the key is changed or a DES key is not present.
Additionally, it sets the touch policy metadata for all slots to "Never", due to the lack of any means to actually perform touch. I can remove this change if desired.
I had another look at the issue, and I was able to get YKMan to work with the default key in. The changes are in 855abf1.
I had to extend the length to AES192 from AES128 (so it would have the correct number of bytes), and had to bump the firmware version to 5.4.0 in order for ykman to recognize non-DES keys as supported.
Thanks for looking into this one! I double-checked the code in libykcs11 and pivy as well, and it doesn't seem like they were looking for the PIN retry counters in the metadata anyway, which is probably why I didn't notice that was wrong.
When resetting the PIV applet using ykman, the command terminates with an error, because it expects three bytes for the PIN retries.
Looking through the ykman piv code shows the three expected bytes.
This patch adds the retries remaining counter.
Additionally, processReset() failed when DES keys are disabled. This patch fixes reset when DES keys are disabled.