Merge pull request #139 from str4d/135-better-mgmt-key-auth-error
Provide a better error message when management key authentication fails
This commit is contained in:
@@ -187,8 +187,12 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
|
|||||||
|
|
||||||
## Errors
|
## Errors
|
||||||
|
|
||||||
|
err-mgmt-key-auth = Failed to authenticate with the PIN-protected management key.
|
||||||
|
rec-mgmt-key-auth =
|
||||||
|
Check whether your management key is using the TDES algorithm.
|
||||||
|
AES is not supported yet: {$aes_url}
|
||||||
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
|
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
|
||||||
rec-custom-mgmt-key =
|
rec-change-mgmt-key =
|
||||||
You can use the {-yubikey} Manager CLI to change to a protected management key:
|
You can use the {-yubikey} Manager CLI to change to a protected management key:
|
||||||
{" "}{$cmd}
|
{" "}{$cmd}
|
||||||
|
|
||||||
|
|||||||
+22
-3
@@ -21,6 +21,7 @@ pub enum Error {
|
|||||||
InvalidSlot(u8),
|
InvalidSlot(u8),
|
||||||
InvalidTouchPolicy(String),
|
InvalidTouchPolicy(String),
|
||||||
Io(io::Error),
|
Io(io::Error),
|
||||||
|
ManagementKeyAuth,
|
||||||
MultipleCommands,
|
MultipleCommands,
|
||||||
MultipleYubiKeys,
|
MultipleYubiKeys,
|
||||||
NoEmptySlots(Serial),
|
NoEmptySlots(Serial),
|
||||||
@@ -50,12 +51,19 @@ impl From<yubikey::Error> for Error {
|
|||||||
// manually to provide the error output we want.
|
// manually to provide the error output we want.
|
||||||
impl fmt::Debug for Error {
|
impl fmt::Debug for Error {
|
||||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||||
|
const CHANGE_MGMT_KEY_CMD: &str =
|
||||||
|
"ykman piv access change-management-key -a TDES --protect";
|
||||||
|
const CHANGE_MGMT_KEY_URL: &str = "https://developers.yubico.com/yubikey-manager/";
|
||||||
|
|
||||||
match self {
|
match self {
|
||||||
Error::CustomManagementKey => {
|
Error::CustomManagementKey => {
|
||||||
wlnfl!(f, "err-custom-mgmt-key")?;
|
wlnfl!(f, "err-custom-mgmt-key")?;
|
||||||
let cmd = "ykman piv access change-management-key --protect";
|
wlnfl!(
|
||||||
let url = "https://developers.yubico.com/yubikey-manager/";
|
f,
|
||||||
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?;
|
"rec-change-mgmt-key",
|
||||||
|
cmd = CHANGE_MGMT_KEY_CMD,
|
||||||
|
url = CHANGE_MGMT_KEY_URL
|
||||||
|
)?;
|
||||||
}
|
}
|
||||||
Error::InvalidFlagCommand(flag, command) => wlnfl!(
|
Error::InvalidFlagCommand(flag, command) => wlnfl!(
|
||||||
f,
|
f,
|
||||||
@@ -78,6 +86,17 @@ impl fmt::Debug for Error {
|
|||||||
expected = "always, cached, never",
|
expected = "always, cached, never",
|
||||||
)?,
|
)?,
|
||||||
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
|
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
|
||||||
|
Error::ManagementKeyAuth => {
|
||||||
|
let aes_url = "https://github.com/str4d/age-plugin-yubikey/issues/92";
|
||||||
|
wlnfl!(f, "err-mgmt-key-auth")?;
|
||||||
|
wlnfl!(f, "rec-mgmt-key-auth", aes_url = aes_url)?;
|
||||||
|
wlnfl!(
|
||||||
|
f,
|
||||||
|
"rec-change-mgmt-key",
|
||||||
|
cmd = CHANGE_MGMT_KEY_CMD,
|
||||||
|
url = CHANGE_MGMT_KEY_URL
|
||||||
|
)?;
|
||||||
|
}
|
||||||
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
|
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
|
||||||
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
|
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
|
||||||
Error::NoEmptySlots(serial) => {
|
Error::NoEmptySlots(serial) => {
|
||||||
|
|||||||
+28
-23
@@ -354,30 +354,35 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
|||||||
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
|
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Ok(mgm_key) = MgmKey::get_protected(yubikey) {
|
match MgmKey::get_protected(yubikey) {
|
||||||
yubikey.authenticate(mgm_key)?;
|
Ok(mgm_key) => yubikey.authenticate(mgm_key).map_err(|e| match e {
|
||||||
} else {
|
yubikey::Error::AuthenticationError => Error::ManagementKeyAuth,
|
||||||
// Try to authenticate with the default management key.
|
_ => e.into(),
|
||||||
yubikey
|
})?,
|
||||||
.authenticate(MgmKey::default())
|
Err(yubikey::Error::AuthenticationError) => Err(Error::ManagementKeyAuth)?,
|
||||||
.map_err(|_| Error::CustomManagementKey)?;
|
_ => {
|
||||||
|
// Try to authenticate with the default management key.
|
||||||
|
yubikey
|
||||||
|
.authenticate(MgmKey::default())
|
||||||
|
.map_err(|_| Error::CustomManagementKey)?;
|
||||||
|
|
||||||
// Migrate to a PIN-protected management key.
|
// Migrate to a PIN-protected management key.
|
||||||
let mgm_key = MgmKey::generate();
|
let mgm_key = MgmKey::generate();
|
||||||
eprintln!();
|
eprintln!();
|
||||||
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
||||||
eprint!("... ");
|
eprint!("... ");
|
||||||
mgm_key.set_protected(yubikey).map_err(|e| {
|
mgm_key.set_protected(yubikey).map_err(|e| {
|
||||||
eprintln!(
|
eprintln!(
|
||||||
"{}",
|
"{}",
|
||||||
fl!(
|
fl!(
|
||||||
"mgr-changing-mgmt-key-error",
|
"mgr-changing-mgmt-key-error",
|
||||||
management_key = hex::encode(mgm_key.as_ref()),
|
management_key = hex::encode(mgm_key.as_ref()),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
e
|
e
|
||||||
})?;
|
})?;
|
||||||
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|||||||
Reference in New Issue
Block a user