Give guidance in error message on reconfiguring YubiKeys with custom management keys

[str4d]

age-plugin-yubikey does not support YubiKeys with custom management keys. In addition to stating that in the error message, we should give CLI arguments for another tool that can be used to migrate the YubiKey to a PIN-protected management key.

[jason-yost-jamf]

The error message the plugin prints for this case is misleading. I tested age-plugin-yubikey version 0.3.0 with a YubiKey 5 NFC with firmware 5.4.3. I found that when using an AES256 management key protected by PIN the plugin printed an error message saying I needed a management key protected by PIN. This was pretty confusing since it was protected by PIN. I dug deeper and realized the issue was really that I was using AES256 and not 3DES for the management key. Once I changed my management code to a custom 3DES protected by PIN, age-plugin-yubikey version 0.3.0 was happy to work with it.

I understand this is a limitation in the underlying yubikey.rs library which (as of version 0.5.0) has not yet been updated to support the AES management keys Yubico began offering in newer firmware. I'm cross-referencing here so others can find it more easily: iqlusioninc/yubikey.rs#330

[davidwilemski]

I just ran into this when trying the plugin and thought I'd share what I tried in case it helps anyone else.

I think in theory the yubico-piv-tool CLI would be able to reset to the default management key with something like yubico-piv-tool -a set-mgm-key. That didn't work for me and I didn't debug further (I received Failed authentication with the application.). It also seems that the yubikey crate supports resetting the key but I didn't try calling that code.

In the end I was able to use the PIV Manager GUI application to manually set my management key back to the default and then age-plugin-yubikey was able to proceed with age identity creation.