archaelus
commented
2 years ago Hi all, I'm interested in working on this. One of the first questions I have is: the MgmKey struct now needs to either be a DES key or an AES key. If I turn it into an enum, I then have to bifurcate every method on MgmKey - I think this is the way I went the last time I (privately) attempted this. It works, but doesn't feel tidy. Alternately, maybe MgmKey could be a trait, and DesKey/AesKey could implement that? I'd hope with that approach that the code for different key types would be neatly separate, but I have no idea what the downsides to this are.
Anyone have a recommendation? Or I can just wade in and see how it looks.
tony-iqlusion
Historically, YubiKey's PIV applet only supported 3DES management keys. However, YubiKeys with firmware 5.4 and up (produced starting from May 2021) support AES-128, AES-192, and AES-256 management keys, which are allowed at least as early as NIST SP 800-78-2 (released in 2010).
We should add support for AES management keys, to enable people who want to migrate away from the default 3DES keys to do so.