Fallback from PIV mgt key type TDES to AES192 on failure

elonen · Oct 8, 2024 · 9cb6bea · 9cb6bea
1 parent a58d17a
commit 9cb6bea
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/hsm_secrets/piv/yubikey_piv.py b/hsm_secrets/piv/yubikey_piv.py
@@ -159,8 +159,14 @@ def __enter__(self):
         # Authenticate with management key
         key, key_type = self._select_management_key_smart(self.piv)
         try:
-            self.piv.authenticate(key_type, key)
             self.management_key = key  # Store the management key used
+            try:
+                self.piv.authenticate(key_type, key)
+            except ValueError as ve:
+                if 'management key type"' in str(ve) and key_type == MANAGEMENT_KEY_TYPE.TDES:
+                    # try AES192 instead
+                    cli_warn(f"Failed to authenticate with 3DES management key (key len: {len(key)} bytes - expected be 24). Trying again with AES192...")
+                    self.piv.authenticate(MANAGEMENT_KEY_TYPE.AES192, key)
         except yubikit.core.CommandError as e:
             cli_error(f"YubiKey PIV app mgt key authentication failed: {str(e)}")
             cli_warn("(Sometimes this means 'PUK is blocked' in YubiKey GUI. You may need to factory reset the PIV app.)")