The following script should work. When I have some more time, I'll explain what it's doing but this should work if you need to get up and running on version 0.1.4. I had to invoke some serious bit black magic to get it working, but i've tested it several hundred times and all produced keys have succeeded. There's probably a far more elegant way to handle the character encoding than hex printf, but I needed to shotgun my way through it to get something viable working.
Code:
NEW_MGM_KEY=
BYTE_COUNTER=0
until [ $BYTE_COUNTER == 24 ];
do
CURRENT_BYTE=`dd if=/dev/urandom bs=1 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"' | cut -c1-2`
printf -v CURRENT_BYTE '%x' $((16#$CURRENT_BYTE | 16#01))
printf -v TEMP_BYTE '%x' $((16#$CURRENT_BYTE ^ (16#$CURRENT_BYTE >> 4)))
printf -v TEMP_BYTE '%x' $((16#$TEMP_BYTE & 0x0f))
printf -v PARITY_BIT '%x' $(((0x6996>>16#$TEMP_BYTE) & 0x01))
printf -v PARITY_MASK '%x' $((0xfe | 16#$PARITY_BIT))
printf -v FIXED_BYTE '%x' $((16#$CURRENT_BYTE & 16#$PARITY_MASK))
if [[ ((16#$FIXED_BYTE -le 0xf)) ]];
then
NEW_BYTE="0$FIXED_BYTE"
else
NEW_BYTE="$FIXED_BYTE"
fi
NEW_MGM_KEY="$NEW_MGM_KEY$NEW_BYTE"
let BYTE_COUNTER+=1
done
echo $NEW_MGM_KEY
For your purposes, replace my echo command with something like:
Code:
yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY
Remember that this is a privileged operation, and the yubico-piv-tool is silently invoking the default key when -k <current_key> is not provided. If you want to change the key after you've changed it one or more times, you'll need to use:
Code:
yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY -k $CURRENT_MGM_KEY
-asym
Login
FAQ
Search
