Pin/Touch policy for imported keys

[FStelzer]

I am using a Yubikey 5 with imported piv certs/keys (Created via a corporate CMS and backed up). Therefore these keys don't have an attestation cert. The key still has Pin & Touch policies for every key (usually the cached touch policy). Without the attestation cert pivy-agent is unable to get this information about the policies from the yubikey and afaik it is not possible to do so in any other way. Would it be possible to add configuration so I'm able to manually specify the policies per slot? At the moment I always have to remember to touch the key when some operation hangs and the touch notification would be nice :) If you're open to the idea I'd try writing a patch for it. I haven't looked into it deeply yet so not sure how difficult it would be. I think the pin policy does not need configuration since the card will ask for the login if necessary, so the config could just be something like: -T 9a:always,9c:cached

Edit: Other agents just use a timeout (100ms or similar) for key operations and just assume a touch is necessary if its triggered. This feels kinda wrong to me though...

[arekinath]

I'm guessing this YubiKey is from before firmware 5.3.0, is that right? So it doesn't have the GET_METADATA command? Because that works on imported slots fine in my testing.

A manual override for the touch policy doesn't seem totally unreasonable -- I think I would prefer that to the timeout hack, since with the PCSC API the timeout hack requires using threads or signals.

[FStelzer]

Yes you are correct the key is an older one. I didn't know that the newer ones support retrieving this data in another way. If I have time i'll take a look at a manual config but I don't think it's really necessary then for this edge case. You get used to it quite quickly that when stuff takes a bit longer than expected that you'll need to touch the key ^^ I'll just close this for now.