[Bug]: yubikey managementKey with AES256 didn't work #883
Description
Steps to Reproduce
If a yubikey Device type: YubiKey 5 NFC Firmware version: 5.7.1 was set to a AES256 management key, it can not be used for step-kms-plugin to generate a key on the yubikey
key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w64 | head -1)
ykman piv access change-management-key -a AES256 -n $key -m 010203040506070801020304050607080102030405060708
step-kms-plugin create --kty RSA --alg SHA512 --size 4096 yubikey:management-key=$key?slot-id=82
Error: failed to load key manager: invalid managementKey: length is not 24 bytes
Your Environment
- OS - Debian
- Version - "Trixie"
- step-kms-plugin/0000000-dev (linux/arm)
Release Date: 2025-10-28 11:38 UTC
Expected Behavior
supper different management key algorithm
Actual Behavior
didn't support AES256 algorithm
Additional Context
go-piv in the actual version can handle different managementkey algorithm.
var managementKeyLengthMap = map[byte]int{
alg3DES: 24,
algAES128: 16,
algAES192: 24,
algAES256: 32,
}
and the function in go-piv func ykAuthenticate(tx *scTx, key []byte, rand io.Reader, version *version) error {
finds it but smallstep/crypto use a fixed version
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).