Support AES management key on YubiKeys with 5.7.x firmware

[joostd]

Key generation fails when using YubiKeys with 5.7.x firmware

When generating keys on a YubiKey with 5.7.x firmware, an error is generated reporting Status Word 6a80 (SW_ERR_INCORRECT_PARAM).

$ cosign piv-tool generate-key
Generating new signing key. This will destroy any previous keys.: y
Error: authenticating with management key: get auth challenge: smart card error 6a80: incorrect parameter in command data field
main.go:74: error during command execution: authenticating with management key: get auth challenge: smart card error 6a80: incorrect parameter in command data field

This is probably because the default algorithm on YubiKeys with firmware 5.7 and later switched from DES3 (Three Key DES, aka TDEA) to AES. See here.

There is a simple workaround: change the management key back to a DES3 key:

ykman piv access change-management-key --algorithm TDES --management-key <current_key> --new-management-key <new_key>

Note that the default management key is 010203040506070801020304050607080102030405060708 (for both DES3 and AES-192 algorithms).

Nonetheless, as DES3 has been deprecated, it would be nice if piv-tool supports AES management keys as well.