Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:50 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Feb 02, 2015 5:07 pm 
Offline

Joined: Wed Dec 11, 2013 11:09 pm
Posts: 2
Hi.

I cannot set up set-mgm-key with piv-tool. I follow insructions from https://developers.yubico.com/yubico-pi ... h_NEO.html (Preparing a Sub-CA NEO) and got the following error:
$ yubico-piv-tool -V
yubico-piv-tool 0.1.4

$ key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`; echo $key; yubico-piv-tool -a set-mgm-key -n $key -v 9
75AC965BECE5B3B60C623B1277224B47CC22522FCED8FD6E
using reader 'Yubico Yubikey NEO OTP+U2F+CCID' matching 'Yubikey'.
Authenticating since action 2 needs that.
Successful applet authentication.
Now processing for action 2.
Won't set new key '75 ac 96 5b ec e5 b3 b6 ' since it's got odd parity.
Failed setting the new key!


The Yubikey firmware version is 3.3.6 and PIV applet version is 0.1.2. And I'm using binary (precompiled) yubico-piv-tool for MacOS.

Can you please explain how can I set the PIV applet's management key into fresh Yubikey NEO?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Feb 03, 2015 8:02 am 
Offline

Joined: Fri Nov 21, 2014 1:50 am
Posts: 5
The following script should work. When I have some more time, I'll explain what it's doing but this should work if you need to get up and running on version 0.1.4. I had to invoke some serious bit black magic to get it working, but i've tested it several hundred times and all produced keys have succeeded. There's probably a far more elegant way to handle the character encoding than hex printf, but I needed to shotgun my way through it to get something viable working.
Code:
NEW_MGM_KEY=
BYTE_COUNTER=0
until [ $BYTE_COUNTER == 24 ];
do
   CURRENT_BYTE=`dd if=/dev/urandom bs=1 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"' | cut -c1-2`
   printf -v CURRENT_BYTE '%x' $((16#$CURRENT_BYTE | 16#01))
   printf -v TEMP_BYTE '%x' $((16#$CURRENT_BYTE ^ (16#$CURRENT_BYTE >> 4)))
   printf -v TEMP_BYTE '%x' $((16#$TEMP_BYTE & 0x0f))   
   printf -v PARITY_BIT '%x' $(((0x6996>>16#$TEMP_BYTE) & 0x01))
   printf -v PARITY_MASK '%x' $((0xfe | 16#$PARITY_BIT))
   printf -v FIXED_BYTE '%x' $((16#$CURRENT_BYTE & 16#$PARITY_MASK))
   if [[ ((16#$FIXED_BYTE -le 0xf)) ]];
   then
      NEW_BYTE="0$FIXED_BYTE"
   else   
      NEW_BYTE="$FIXED_BYTE"
   fi
   NEW_MGM_KEY="$NEW_MGM_KEY$NEW_BYTE"
   let BYTE_COUNTER+=1
done
echo $NEW_MGM_KEY

For your purposes, replace my echo command with something like:
Code:
yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY

Remember that this is a privileged operation, and the yubico-piv-tool is silently invoking the default key when -k <current_key> is not provided. If you want to change the key after you've changed it one or more times, you'll need to use:
Code:
yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY -k $CURRENT_MGM_KEY

-asym


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 06, 2015 9:38 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Adding parity enforcing in version 0.1.4 was not a very well considered change. We've changed it back to not enforcing parity and released 0.1.5 since.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group