crypto icon indicating copy to clipboard operation
crypto copied to clipboard
verified publisher icon smallstep

[Bug]: Yubikey AES management keys

Open scj643 opened this issue 3 years ago • 1 comments

Steps to Reproduce

  1. Have a yubikey with an AES128, AES192, or AES256 management key.
    1. Generated with ykman piv access change-management-key -t -g -a AES256
  2. Try to generate a key.

Your Environment

  • OS - Fedora
  • Version - 36

Expected Behavior

Key generation should succeed.

Actual Behavior

Get error Error: failed to load key manager: invalid managementKey: length is not 24 bytes or Error: failed to create key: error generating key: authenticating with management key: get auth challenge: smart card error 6a80: incorrect parameter in command data field if the key type is AES192

Additional Context

https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-piv-tech-desc.html#piv-aes-management-key documents the AES Key which then references https://csrc.nist.gov/publications/detail/sp/800-78/4/final

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

scj643 avatar Nov 01 '22 16:11 scj643

Hi @scj643, unfortunately, the YubiKey implementation is based on go-piv that only supports Triple DES management keys. I would recommend you to create an issue on go-piv.

But you might be able to use the PKCS#11 module using YubiKey YKCS11 driver available with yubico-piv-tool

maraino avatar Nov 01 '22 18:11 maraino

Might be fixed by #575

hslatman avatar Sep 24 '24 19:09 hslatman