Merge pull request #139 from str4d/135-better-mgmt-key-auth-error

Provide a better error message when management key authentication fails
This commit is contained in:
str4d
2023-04-09 08:13:12 +01:00
committed by GitHub
3 changed files with 55 additions and 27 deletions
+5 -1
View File
@@ -187,8 +187,12 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
## Errors ## Errors
err-mgmt-key-auth = Failed to authenticate with the PIN-protected management key.
rec-mgmt-key-auth =
Check whether your management key is using the TDES algorithm.
AES is not supported yet: {$aes_url}
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported. err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
rec-custom-mgmt-key = rec-change-mgmt-key =
You can use the {-yubikey} Manager CLI to change to a protected management key: You can use the {-yubikey} Manager CLI to change to a protected management key:
{" "}{$cmd} {" "}{$cmd}
+22 -3
View File
@@ -21,6 +21,7 @@ pub enum Error {
InvalidSlot(u8), InvalidSlot(u8),
InvalidTouchPolicy(String), InvalidTouchPolicy(String),
Io(io::Error), Io(io::Error),
ManagementKeyAuth,
MultipleCommands, MultipleCommands,
MultipleYubiKeys, MultipleYubiKeys,
NoEmptySlots(Serial), NoEmptySlots(Serial),
@@ -50,12 +51,19 @@ impl From<yubikey::Error> for Error {
// manually to provide the error output we want. // manually to provide the error output we want.
impl fmt::Debug for Error { impl fmt::Debug for Error {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
const CHANGE_MGMT_KEY_CMD: &str =
"ykman piv access change-management-key -a TDES --protect";
const CHANGE_MGMT_KEY_URL: &str = "https://developers.yubico.com/yubikey-manager/";
match self { match self {
Error::CustomManagementKey => { Error::CustomManagementKey => {
wlnfl!(f, "err-custom-mgmt-key")?; wlnfl!(f, "err-custom-mgmt-key")?;
let cmd = "ykman piv access change-management-key --protect"; wlnfl!(
let url = "https://developers.yubico.com/yubikey-manager/"; f,
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?; "rec-change-mgmt-key",
cmd = CHANGE_MGMT_KEY_CMD,
url = CHANGE_MGMT_KEY_URL
)?;
} }
Error::InvalidFlagCommand(flag, command) => wlnfl!( Error::InvalidFlagCommand(flag, command) => wlnfl!(
f, f,
@@ -78,6 +86,17 @@ impl fmt::Debug for Error {
expected = "always, cached, never", expected = "always, cached, never",
)?, )?,
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?, Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
Error::ManagementKeyAuth => {
let aes_url = "https://github.com/str4d/age-plugin-yubikey/issues/92";
wlnfl!(f, "err-mgmt-key-auth")?;
wlnfl!(f, "rec-mgmt-key-auth", aes_url = aes_url)?;
wlnfl!(
f,
"rec-change-mgmt-key",
cmd = CHANGE_MGMT_KEY_CMD,
url = CHANGE_MGMT_KEY_URL
)?;
}
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?, Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?, Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
Error::NoEmptySlots(serial) => { Error::NoEmptySlots(serial) => {
+8 -3
View File
@@ -354,9 +354,13 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?; yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
} }
if let Ok(mgm_key) = MgmKey::get_protected(yubikey) { match MgmKey::get_protected(yubikey) {
yubikey.authenticate(mgm_key)?; Ok(mgm_key) => yubikey.authenticate(mgm_key).map_err(|e| match e {
} else { yubikey::Error::AuthenticationError => Error::ManagementKeyAuth,
_ => e.into(),
})?,
Err(yubikey::Error::AuthenticationError) => Err(Error::ManagementKeyAuth)?,
_ => {
// Try to authenticate with the default management key. // Try to authenticate with the default management key.
yubikey yubikey
.authenticate(MgmKey::default()) .authenticate(MgmKey::default())
@@ -379,6 +383,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
})?; })?;
eprintln!("{}", fl!("mgr-changing-mgmt-key-success")); eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
} }
}
Ok(()) Ok(())
} }