Yubico Forum :: View topic - piv-tool cannot set management key

NEW_MGM_KEY=
BYTE_COUNTER=0
until [ $BYTE_COUNTER == 24 ];
do
CURRENT_BYTE=`dd if=/dev/urandom bs=1 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"' | cut -c1-2`
printf -v CURRENT_BYTE '%x' $((16#$CURRENT_BYTE | 16#01))
printf -v TEMP_BYTE '%x' $((16#$CURRENT_BYTE ^ (16#$CURRENT_BYTE >> 4)))
printf -v TEMP_BYTE '%x' $((16#$TEMP_BYTE & 0x0f))
printf -v PARITY_BIT '%x' $(((0x6996>>16#$TEMP_BYTE) & 0x01))
printf -v PARITY_MASK '%x' $((0xfe | 16#$PARITY_BIT))
printf -v FIXED_BYTE '%x' $((16#$CURRENT_BYTE & 16#$PARITY_MASK))
if [[ ((16#$FIXED_BYTE -le 0xf)) ]];
then
NEW_BYTE="0$FIXED_BYTE"
else
NEW_BYTE="$FIXED_BYTE"
fi
NEW_MGM_KEY="$NEW_MGM_KEY$NEW_BYTE"
let BYTE_COUNTER+=1
done
echo $NEW_MGM_KEY

Author:	nikki [ Mon Feb 02, 2015 5:07 pm ]
Post subject:	piv-tool cannot set management key
Hi. I cannot set up set-mgm-key with piv-tool. I follow insructions from https://developers.yubico.com/yubico-pi ... h_NEO.html (Preparing a Sub-CA NEO) and got the following error: $ yubico-piv-tool -V yubico-piv-tool 0.1.4 $ key=`dd if=/dev/random bs=1 count=24 2>/dev/null \| hexdump -v -e '/1 "%02X"'`; echo $key; yubico-piv-tool -a set-mgm-key -n $key -v 9 75AC965BECE5B3B60C623B1277224B47CC22522FCED8FD6E using reader 'Yubico Yubikey NEO OTP+U2F+CCID' matching 'Yubikey'. Authenticating since action 2 needs that. Successful applet authentication. Now processing for action 2. Won't set new key '75 ac 96 5b ec e5 b3 b6 ' since it's got odd parity. Failed setting the new key! The Yubikey firmware version is 3.3.6 and PIV applet version is 0.1.2. And I'm using binary (precompiled) yubico-piv-tool for MacOS. Can you please explain how can I set the PIV applet's management key into fresh Yubikey NEO?

Author:	asym [ Tue Feb 03, 2015 8:02 am ]
Post subject:	Re: piv-tool cannot set management key
The following script should work. When I have some more time, I'll explain what it's doing but this should work if you need to get up and running on version 0.1.4. I had to invoke some serious bit black magic to get it working, but i've tested it several hundred times and all produced keys have succeeded. There's probably a far more elegant way to handle the character encoding than hex printf, but I needed to shotgun my way through it to get something viable working. Code: NEW_MGM_KEY= BYTE_COUNTER=0 until [ $BYTE_COUNTER == 24 ]; do CURRENT_BYTE=`dd if=/dev/urandom bs=1 count=1 2>/dev/null \| hexdump -v -e '/1 "%02x"' \| cut -c1-2` printf -v CURRENT_BYTE '%x' $((16#$CURRENT_BYTE \| 16#01)) printf -v TEMP_BYTE '%x' $((16#$CURRENT_BYTE ^ (16#$CURRENT_BYTE >> 4))) printf -v TEMP_BYTE '%x' $((16#$TEMP_BYTE & 0x0f)) printf -v PARITY_BIT '%x' $(((0x6996>>16#$TEMP_BYTE) & 0x01)) printf -v PARITY_MASK '%x' $((0xfe \| 16#$PARITY_BIT)) printf -v FIXED_BYTE '%x' $((16#$CURRENT_BYTE & 16#$PARITY_MASK)) if [[ ((16#$FIXED_BYTE -le 0xf)) ]]; then NEW_BYTE="0$FIXED_BYTE" else NEW_BYTE="$FIXED_BYTE" fi NEW_MGM_KEY="$NEW_MGM_KEY$NEW_BYTE" let BYTE_COUNTER+=1 done echo $NEW_MGM_KEY For your purposes, replace my echo command with something like: Code: yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY Remember that this is a privileged operation, and the yubico-piv-tool is silently invoking the default key when -k <current_key> is not provided. If you want to change the key after you've changed it one or more times, you'll need to use: Code: yubico-piv-tool -v -a set-mgm-key -n $NEW_MGM_KEY -k $CURRENT_MGM_KEY -asym

Author:	Klas [ Fri Feb 06, 2015 9:38 am ]
Post subject:	Re: piv-tool cannot set management key
Hello, Adding parity enforcing in version 0.1.4 was not a very well considered change. We've changed it back to not enforcing parity and released 0.1.5 since. /klas

Yubico Forum https://forum.yubico.com/

piv-tool cannot set management key https://forum.yubico.com/viewtopic.php?f=26&t=1729	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/