Provide a better error message when management key authentication fails
We now indicate to the user that AES management key algorithms are not yet supported, and tell them how to change their management key to use TDES. Closes str4d/age-plugin-yubikey#135.
This commit is contained in:
@@ -187,8 +187,12 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
|
|||||||
|
|
||||||
## Errors
|
## Errors
|
||||||
|
|
||||||
|
err-mgmt-key-auth = Failed to authenticate with the PIN-protected management key.
|
||||||
|
rec-mgmt-key-auth =
|
||||||
|
Check whether your management key is using the TDES algorithm.
|
||||||
|
AES is not supported yet: {$aes_url}
|
||||||
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
|
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
|
||||||
rec-custom-mgmt-key =
|
rec-change-mgmt-key =
|
||||||
You can use the {-yubikey} Manager CLI to change to a protected management key:
|
You can use the {-yubikey} Manager CLI to change to a protected management key:
|
||||||
{" "}{$cmd}
|
{" "}{$cmd}
|
||||||
|
|
||||||
|
|||||||
+22
-3
@@ -21,6 +21,7 @@ pub enum Error {
|
|||||||
InvalidSlot(u8),
|
InvalidSlot(u8),
|
||||||
InvalidTouchPolicy(String),
|
InvalidTouchPolicy(String),
|
||||||
Io(io::Error),
|
Io(io::Error),
|
||||||
|
ManagementKeyAuth,
|
||||||
MultipleCommands,
|
MultipleCommands,
|
||||||
MultipleYubiKeys,
|
MultipleYubiKeys,
|
||||||
NoEmptySlots(Serial),
|
NoEmptySlots(Serial),
|
||||||
@@ -50,12 +51,19 @@ impl From<yubikey::Error> for Error {
|
|||||||
// manually to provide the error output we want.
|
// manually to provide the error output we want.
|
||||||
impl fmt::Debug for Error {
|
impl fmt::Debug for Error {
|
||||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||||
|
const CHANGE_MGMT_KEY_CMD: &str =
|
||||||
|
"ykman piv access change-management-key -a TDES --protect";
|
||||||
|
const CHANGE_MGMT_KEY_URL: &str = "https://developers.yubico.com/yubikey-manager/";
|
||||||
|
|
||||||
match self {
|
match self {
|
||||||
Error::CustomManagementKey => {
|
Error::CustomManagementKey => {
|
||||||
wlnfl!(f, "err-custom-mgmt-key")?;
|
wlnfl!(f, "err-custom-mgmt-key")?;
|
||||||
let cmd = "ykman piv access change-management-key --protect";
|
wlnfl!(
|
||||||
let url = "https://developers.yubico.com/yubikey-manager/";
|
f,
|
||||||
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?;
|
"rec-change-mgmt-key",
|
||||||
|
cmd = CHANGE_MGMT_KEY_CMD,
|
||||||
|
url = CHANGE_MGMT_KEY_URL
|
||||||
|
)?;
|
||||||
}
|
}
|
||||||
Error::InvalidFlagCommand(flag, command) => wlnfl!(
|
Error::InvalidFlagCommand(flag, command) => wlnfl!(
|
||||||
f,
|
f,
|
||||||
@@ -78,6 +86,17 @@ impl fmt::Debug for Error {
|
|||||||
expected = "always, cached, never",
|
expected = "always, cached, never",
|
||||||
)?,
|
)?,
|
||||||
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
|
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
|
||||||
|
Error::ManagementKeyAuth => {
|
||||||
|
let aes_url = "https://github.com/str4d/age-plugin-yubikey/issues/92";
|
||||||
|
wlnfl!(f, "err-mgmt-key-auth")?;
|
||||||
|
wlnfl!(f, "rec-mgmt-key-auth", aes_url = aes_url)?;
|
||||||
|
wlnfl!(
|
||||||
|
f,
|
||||||
|
"rec-change-mgmt-key",
|
||||||
|
cmd = CHANGE_MGMT_KEY_CMD,
|
||||||
|
url = CHANGE_MGMT_KEY_URL
|
||||||
|
)?;
|
||||||
|
}
|
||||||
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
|
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
|
||||||
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
|
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
|
||||||
Error::NoEmptySlots(serial) => {
|
Error::NoEmptySlots(serial) => {
|
||||||
|
|||||||
+28
-23
@@ -354,30 +354,35 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
|||||||
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
|
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Ok(mgm_key) = MgmKey::get_protected(yubikey) {
|
match MgmKey::get_protected(yubikey) {
|
||||||
yubikey.authenticate(mgm_key)?;
|
Ok(mgm_key) => yubikey.authenticate(mgm_key).map_err(|e| match e {
|
||||||
} else {
|
yubikey::Error::AuthenticationError => Error::ManagementKeyAuth,
|
||||||
// Try to authenticate with the default management key.
|
_ => e.into(),
|
||||||
yubikey
|
})?,
|
||||||
.authenticate(MgmKey::default())
|
Err(yubikey::Error::AuthenticationError) => Err(Error::ManagementKeyAuth)?,
|
||||||
.map_err(|_| Error::CustomManagementKey)?;
|
_ => {
|
||||||
|
// Try to authenticate with the default management key.
|
||||||
|
yubikey
|
||||||
|
.authenticate(MgmKey::default())
|
||||||
|
.map_err(|_| Error::CustomManagementKey)?;
|
||||||
|
|
||||||
// Migrate to a PIN-protected management key.
|
// Migrate to a PIN-protected management key.
|
||||||
let mgm_key = MgmKey::generate();
|
let mgm_key = MgmKey::generate();
|
||||||
eprintln!();
|
eprintln!();
|
||||||
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
||||||
eprint!("... ");
|
eprint!("... ");
|
||||||
mgm_key.set_protected(yubikey).map_err(|e| {
|
mgm_key.set_protected(yubikey).map_err(|e| {
|
||||||
eprintln!(
|
eprintln!(
|
||||||
"{}",
|
"{}",
|
||||||
fl!(
|
fl!(
|
||||||
"mgr-changing-mgmt-key-error",
|
"mgr-changing-mgmt-key-error",
|
||||||
management_key = hex::encode(mgm_key.as_ref()),
|
management_key = hex::encode(mgm_key.as_ref()),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
e
|
e
|
||||||
})?;
|
})?;
|
||||||
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|||||||
Reference in New Issue
Block a user