Closed smferris closed 1 month ago
I created a TDES key using the default byte pattern using the ykman GUI, and then everything worked as expected, so that's the workaround for now, but this will be a pain point as the number of new yubikeys in the field grows.
Would it make sense to try AES192 if TDES fails and the key is the default value, or vice versa? Giving the caller some way to specify the key type would also help, so that it could at least be plumbed down from a command line argument.
I think logic could be added using this knowledge:
So therefore by inspecting the key version you could do this in SetManagementKey
:
ykAuthenticate
and ykSetManagementKey
.ykAuthenticate
ykSetManagementKey
Does that make sense?
Makes sense to me, and I'd certainly prefer a solution that autodetected the key type so that it works with all firmware versions, and newer firmware can use aes-192 rather than get downgraded to 3des.
I've got a working solution that determines the current key type from the slot metadata if available, else assumes 3DES. It also allows setting the management key to different key types (determining which key type to set based on whether you pass in a 16, 24, or 36 byte key. For 24 byte keys it tries AES192 first and falls back to 3DES).
This should be fixed on the v2 branch, but I want to make sure there's some agreement that we don't need to change any other APIs before tagging (#153). Is #149 sufficient to fix this issue?
I believe #149 is sufficient. I have verified it working with yubikeys that only support 3DES, support AES+3DES but default to 3DES, and support AES+3DES but default to AES192. I have also verified it working for all three AES key lengths in the standard (128/192/256).
Also, fixing this issue also fixes https://github.com/go-piv/piv-go/issues/109
The v2 version now supports different management keys. Switching to that should be sufficient?
ykAuthenticate() hardcodes alg3DES for the piv management key, but newer yubkeys that have 5.7.x firmware are now defaulting to an aes192 key.
I suspect this default key change is why yubikey-agent (which uses piv-go) is unable to setup the yubikey, and errors out with:
‼️ The default Management Key did not work