Add support for management key derivation from PIN like YubiKey Manager
Opened this issue · 0 comments
The PIV guide https://developers.yubico.com/PIV/Guides/Device_setup.html hints setting up the YubiKey using a management keyderived from PIN with
ykman piv change-management-key --generate --protect
But after doing that yubico-piv-tool will fail withFailed authentication with the application: Authentication error. in commands like:
yubico-piv-tool -s 9a -a generate -o public.pem
The culprit is explained at #153 (comment) where they explain the the management key derived from PIN is not supported by yubico-piv-tool.
Although ykman piv xxxx (the cli for Yubikey Manager) could be used as a replacement for yubico-piv-tool and it does already supports this management key derivation from PIN, the fact is that a lot of the documentation uses yubico-piv-tool so it would be good if yubico-piv-tool supported this.
If there is already a decision not to support this, it would least it if could detect that the "management key derivation from PIN" is activated on the Yubikey and give a more concrete error message like "management key protected by PIN use ykman instead of yubico-piv-tool"
Related ##153