Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Yubikey AES management keys #114

Closed
scj643 opened this issue Nov 1, 2022 · 2 comments · Fixed by #604
Closed

[Bug]: Yubikey AES management keys #114

scj643 opened this issue Nov 1, 2022 · 2 comments · Fixed by #604
Labels
enhancement New feature or request

Comments

@scj643
Copy link

scj643 commented Nov 1, 2022

Steps to Reproduce

  1. Have a yubikey with an AES128, AES192, or AES256 management key.
    1. Generated with ykman piv access change-management-key -t -g -a AES256
  2. Try to generate a key.

Your Environment

  • OS - Fedora
  • Version - 36

Expected Behavior

Key generation should succeed.

Actual Behavior

Get error Error: failed to load key manager: invalid managementKey: length is not 24 bytes or Error: failed to create key: error generating key: authenticating with management key: get auth challenge: smart card error 6a80: incorrect parameter in command data field if the key type is AES192

Additional Context

https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-piv-tech-desc.html#piv-aes-management-key documents the AES Key which then references https://csrc.nist.gov/publications/detail/sp/800-78/4/final

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@scj643 scj643 added bug Something isn't working needs triage labels Nov 1, 2022
@maraino
Copy link
Contributor

maraino commented Nov 1, 2022

Hi @scj643, unfortunately, the YubiKey implementation is based on go-piv that only supports Triple DES management keys. I would recommend you to create an issue on go-piv.

But you might be able to use the PKCS#11 module using YubiKey YKCS11 driver available with yubico-piv-tool

@scj643 scj643 mentioned this issue Nov 1, 2022
Closed
@dopey dopey removed the needs triage label Jan 6, 2023
@maraino maraino added enhancement New feature or request and removed bug Something isn't working labels Feb 20, 2024
@hslatman hslatman linked a pull request Sep 24, 2024 that will close this issue
Bump github.com/go-piv/piv-go from 1.11.0 to 2.0.0+incompatible #575
Closed
@hslatman hslatman removed a link to a pull request Sep 24, 2024
Bump github.com/go-piv/piv-go from 1.11.0 to 2.0.0+incompatible #575
Closed
@hslatman
Copy link
Member

Might be fixed by #575

@hslatman hslatman mentioned this issue Oct 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade go-piv to v2.2.0 smallstep/crypto
4 participants
@maraino @hslatman @dopey @scj643