Provide a better error message when management key authentication fails

We now indicate to the user that AES management key algorithms are not
yet supported, and tell them how to change their management key to use
TDES.

Closes str4d/age-plugin-yubikey#135.
This commit is contained in:
Jack Grigg
2023-04-09 06:48:57 +00:00
parent 22fd00bd22
commit 62f237f859
3 changed files with 55 additions and 27 deletions
+5 -1
View File
@@ -187,8 +187,12 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
## Errors
err-mgmt-key-auth = Failed to authenticate with the PIN-protected management key.
rec-mgmt-key-auth =
Check whether your management key is using the TDES algorithm.
AES is not supported yet: {$aes_url}
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
rec-custom-mgmt-key =
rec-change-mgmt-key =
You can use the {-yubikey} Manager CLI to change to a protected management key:
{" "}{$cmd}
+22 -3
View File
@@ -21,6 +21,7 @@ pub enum Error {
InvalidSlot(u8),
InvalidTouchPolicy(String),
Io(io::Error),
ManagementKeyAuth,
MultipleCommands,
MultipleYubiKeys,
NoEmptySlots(Serial),
@@ -50,12 +51,19 @@ impl From<yubikey::Error> for Error {
// manually to provide the error output we want.
impl fmt::Debug for Error {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
const CHANGE_MGMT_KEY_CMD: &str =
"ykman piv access change-management-key -a TDES --protect";
const CHANGE_MGMT_KEY_URL: &str = "https://developers.yubico.com/yubikey-manager/";
match self {
Error::CustomManagementKey => {
wlnfl!(f, "err-custom-mgmt-key")?;
let cmd = "ykman piv access change-management-key --protect";
let url = "https://developers.yubico.com/yubikey-manager/";
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?;
wlnfl!(
f,
"rec-change-mgmt-key",
cmd = CHANGE_MGMT_KEY_CMD,
url = CHANGE_MGMT_KEY_URL
)?;
}
Error::InvalidFlagCommand(flag, command) => wlnfl!(
f,
@@ -78,6 +86,17 @@ impl fmt::Debug for Error {
expected = "always, cached, never",
)?,
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
Error::ManagementKeyAuth => {
let aes_url = "https://github.com/str4d/age-plugin-yubikey/issues/92";
wlnfl!(f, "err-mgmt-key-auth")?;
wlnfl!(f, "rec-mgmt-key-auth", aes_url = aes_url)?;
wlnfl!(
f,
"rec-change-mgmt-key",
cmd = CHANGE_MGMT_KEY_CMD,
url = CHANGE_MGMT_KEY_URL
)?;
}
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
Error::NoEmptySlots(serial) => {
+8 -3
View File
@@ -354,9 +354,13 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
}
if let Ok(mgm_key) = MgmKey::get_protected(yubikey) {
yubikey.authenticate(mgm_key)?;
} else {
match MgmKey::get_protected(yubikey) {
Ok(mgm_key) => yubikey.authenticate(mgm_key).map_err(|e| match e {
yubikey::Error::AuthenticationError => Error::ManagementKeyAuth,
_ => e.into(),
})?,
Err(yubikey::Error::AuthenticationError) => Err(Error::ManagementKeyAuth)?,
_ => {
// Try to authenticate with the default management key.
yubikey
.authenticate(MgmKey::default())
@@ -379,6 +383,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
})?;
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
}
}
Ok(())
}