From 9cb6beac932429be7e894b38a1c3c9ef18c83f97 Mon Sep 17 00:00:00 2001 From: Jarno Elonen Date: Tue, 8 Oct 2024 15:38:23 +0300 Subject: [PATCH] Fallback from PIV mgt key type TDES to AES192 on failure --- hsm_secrets/piv/yubikey_piv.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hsm_secrets/piv/yubikey_piv.py b/hsm_secrets/piv/yubikey_piv.py index 902fa50..8148650 100644 --- a/hsm_secrets/piv/yubikey_piv.py +++ b/hsm_secrets/piv/yubikey_piv.py @@ -159,8 +159,14 @@ def __enter__(self): # Authenticate with management key key, key_type = self._select_management_key_smart(self.piv) try: - self.piv.authenticate(key_type, key) self.management_key = key # Store the management key used + try: + self.piv.authenticate(key_type, key) + except ValueError as ve: + if 'management key type"' in str(ve) and key_type == MANAGEMENT_KEY_TYPE.TDES: + # try AES192 instead + cli_warn(f"Failed to authenticate with 3DES management key (key len: {len(key)} bytes - expected be 24). Trying again with AES192...") + self.piv.authenticate(MANAGEMENT_KEY_TYPE.AES192, key) except yubikit.core.CommandError as e: cli_error(f"YubiKey PIV app mgt key authentication failed: {str(e)}") cli_warn("(Sometimes this means 'PUK is blocked' in YubiKey GUI. You may need to factory reset the PIV app.)")