Invalid PIN despite correct pin and all retries lost

[jakubgs]

Environment

• OS: NixOS 24.11
• age-plugin-yubikey version: 0.5.0

What were you trying to do

I'm trying to generate a new age identity for my Yubikey.

What happened

 > age-plugin-yubikey
✨ Let's get your YubiKey set up for age! ✨

This tool can create a new age identity in a free slot of your YubiKey.
It will generate an identity file that you can use with an age client,
along with the corresponding recipient. You can also do this directly
with:
    age-plugin-yubikey --generate

If you are already using a YubiKey with age, you can select an existing
slot to recreate its corresponding identity file and recipient.

When asked below to select an option, use the up/down arrow keys to
make your choice, or press [Esc] or [q] to quit.

🔑 Select a YubiKey: Yubico YubiKey OTP+FIDO+CCID 00 00 (Serial: 123456789)
🕳️  Select a slot for your age identity: Slot 1 (Empty)
📛 Name this identity [age identity TAG_HEX]: 
🔤 Select a PIN policy: Once   (A PIN is required once per session, if set)
👆 Select a touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
Generate new identity in slot 1? yes

🎲 Generating key...

Enter PIN for YubiKey with serial 123456789 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

I provide the correct PIN, after which I get the Invalid PIN error and the Yubikey becomes unusable until I unplug and re-plug it in.

The same issue was happening with 0.4.0 on NixOS 24.05.

[jakubgs]

Interestingly this does not happen with another Key of mine, there I get a different issue:

Enter PIN for YubiKey with serial 987654321 (default is 123456): [hidden]
Error: Custom unprotected non-TDES management keys are not supported.
You can use the YubiKey Manager CLI to change to a protected management key:
  ykman piv access change-management-key -a TDES --protect

The one that failes with Invalid PIN is this one:

Device type: YubiKey 5 NFC
Firmware version: 5.2.7
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled

Applications	USB          	NFC          
Yubico OTP  	Enabled      	Enabled
FIDO U2F    	Enabled      	Enabled
FIDO2       	Enabled      	Enabled
OATH        	Enabled      	Enabled
PIV         	Enabled      	Enabled
OpenPGP     	Enabled      	Enabled
YubiHSM Auth	Not available	Not available

And the one the complains about Custom unprotected non-TDES management keys is this one:

Device type: YubiKey 5 NFC
Firmware version: 5.1.1
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled

Applications	USB          	NFC          
Yubico OTP  	Enabled      	Enabled
FIDO U2F    	Enabled      	Enabled
FIDO2       	Enabled      	Enabled
OATH        	Enabled      	Enabled
PIV         	Enabled      	Disabled
OpenPGP     	Enabled      	Enabled
YubiHSM Auth	Not available	Not available

Interestingly it's the newer firmware version that has issues.

[jakubgs]

What's interesting is the one causing Custom unprotected non-TDES management keys has TDES enabled:

PIV version:              5.1.1
PIN tries remaining:      3
Management key algorithm: TDES
CHUID: No data available
CCC:   No data available

[jakubgs]

Okay, this is weird, the key that gets Invalid PIN is perfectly usable via gpg and gpg-agent, but this fails:

 > ykman piv info
ERROR: Failed to connect to YubiKey.

I wonder if this is a buggy YubiKey firmware version or just a glitch of my setup.
I find that unlikely because the other one works.

[kirelagin]

Error: Invalid PIN (0 tries remaining before it is blocked)

I provide the correct PIN, after which I get the Invalid PIN error and the Yubikey becomes unusable until I unplug and re-plug it in.

I’m a bit confused about your description. If the PIV is blocked due to multiple invalid PINs, then it is blocked forever – it doesn’t matter whether you re-plug it or not. Are you saying that it is still giving you the error after you reset the PIN? Also, I feel I should probably mention, just in case, that the PIV and the OpenPGP PINs are completely unrelated.

 > ykman piv info
ERROR: Failed to connect to YubiKey.

This is happening because your YubiKey gets “captured” by gpg-agent and thus the PIV app becomes unavailable. If you’ve been using the YubiKey’s OpenPGP app, you will need to re-plug it before it becomes available for PIV again.

[kirelagin]

Error: Custom unprotected non-TDES management keys are not supported.

From your output, I guess the problem here is not that it is TDES but that it is custom and unprotected.

[jakubgs]

I see, but what does that actually mean? I created both yubikeys the same way, using gpg and keytocard command. I don't really get why it would be different, unless the difference is in the YubiKey configuration itself. Which is possible considering different firmware versions.

[kirelagin]

There are two “competing” standards for doing public key cryptography using a smart card: one is PIV, the other one is OpenPGP. In practice, this means that your YubiKey contains two completely separate smart cards. It sounds like you’ve configured the OpenPGP one the way you like, now you need to configure the PIV one.

age-plugin-yubikey with no options is basically a default configuration wizard, which does the simplest sensible thing – generates a new key on the YubiKey. If you want to configure it similarly to how you’ve done it with OpenPGP, you’ll pretty much have to do the same steps, but using PIV-compatible tools instead of GPG (not sure how off the top of my head as I don’t use keys generated outside the card, but there are definitely tools).

[jakubgs]

I don't understand how the PIV method could have been configured because I've only ever used GnuPG to upload keys to the YubiKey. I have never even heard of this PIV thing. Very weird. I'll look into it but it doesn't seem like that's the case.