-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managing multiple PIV certificates #497
Comments
SW_ERR_SECURITY_STATUS is status code 0x6982 from the PIV application, meaning that an object cannot be read because PIN has not been verified. There are a few PIN-protected objects in PIV, 5fc109 being one of them. To get by that you need to add a verify-pin action before the write-object action (-P only specifies the pin value, it doesn't verify it against the card). The reason there is a verify-pin action is so that you have full control of when the pin is verified agains the card without specifying it's value multiple times. This can be needed for pin policy always (which by default is in effect for slot 9c) The status codes can be found in ykpiv.h but are not otherwise documented in yubico-piv-tools, their meaning is specified by the PIV spec. |
The reason you get the final 'Failed reading data' is more unclear, when I try your command line (on macos) it works. Perhaps you are using an echo command (maybe built-in in your shell) that doesn't honor the -n option ? Maybe try with a file that you know contains no newlines and the -i option to yubico-piv-tool |
Object movement and deletion came in the 5.7 firmware. However, if you have the private keys somewhere else you can import and overwrite keys at will even with older firmware. The history object has no meaning to the YubiKey itself, so the effect of modifying it is entirely up to other software. |
My org have multiple PIV certificates, migrating from RSA Secur ID to Yubikey.
We are using YubiKey 5C NFC FIPS keys.
Already being the FIPS version I see quite a bit of limitations with the 5.4.3 firmware : no slot movement, deletion, etc. possible.
Another issue we are having is that the standard from the NIST does not seem to be build around the idea of having multiple PIVs.
Altaugh, Windows seem's to handle it quite gracefully even being out of spec?
But some of our Windows environment only see the first 2 PIVs (slots 9a and 9d) and not the 2 others in 82 and 83.
Could changing the
Key History Object
toc10102c20100
be the solution?ie.
echo -n c10102c20100 | yubico-piv-tool -k -a write-object --id=0x5FC10C
I tried it but got :
What is
SW_ERR_SECURITY_STATUS
? I can't find documentation about this error code.Thank you for your help.
The text was updated successfully, but these errors were encountered: