It appears this package does not support authenticating with YubiKey's that use AES-256 for the management key algorithm.
TDES, AES128, and AES192 all work, but using AES256 fails
Code to Reproduce
readers, _ := ykpiv.Readers()
yubikey, err := ykpiv.New(ykpiv.Options{
Verbose: true,
Reader: readers[0],
ManagementKey: []byte{0x5b, 0x36, 0xf8, 0xb0, 0xc5, 0xc7, 0x7a, 0xf4, 0x8a, 0x74, 0xb2, 0x23, 0x23, 0x71, 0xf0, 0xd2, 0xf0, 0x84, 0xdc, 0x07, 0x24, 0x03, 0x1e, 0xdf, 0xb2, 0xd8, 0xe0, 0xb5, 0x24, 0xa5, 0xed, 0xd1},
})
if err != nil {
panic(err)
}
defer yubikey.Close()
if err := yubikey.Authenticate(); err != nil {
panic("Invalid management key: " + err.Error())
}Changing the management key out for a TDES, AES128, or AES192 key works.
Verbose output:
DBG ykpiv.c:993 (ykpiv_connect_ex): Connect reader 'Yubico YubiKey CCID' matching 'Yubico YubiKey CCID'.
DBG ykpiv.c:999 (ykpiv_connect_ex): SCardConnect succeeded for 'Yubico YubiKey CCID', protocol=2
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 61114f0600001000010079074f05a0000003089000 (21)
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 0020008000 (5)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 63c3 (2)
DBG ykpiv.c:1215 (ykpiv_translate_sw_ex): _ykpiv_verify: SW_63c3
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00fd000000 (5)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 0504039000 (5)
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00f8000000 (5)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 010be7449000 (6)
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00f7009b00 (5)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 01010c020200010501009000 (12)
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 10 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00870c9b047c02800000 (10)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 7c1280109ee5d39e8e357db03b2a2eb63c8ab93c9000 (22)
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 44 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00870c9b267c248010f8fdeb2a35345bc9603e22410e3dcd81811097933072f4ccf93da0bc2745024f518000 (44)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 6982 (2)
DBG ykpiv.c:1164 (ykpiv_translate_sw_ex): _ykpiv_authenticate2: SW_ERR_SECURITY_STATUS
Invalid management key: [ykpiv ykpiv_authenticate: Authentication Error (-5) - Authentication error]
Go 1.25.3, macOS 15.7.1, yubico-piv-tool 2.7.2, ykman 5.8.0
YubiKey 5 NFC FIPS firmware 5.4.3
It appears this package does not support authenticating with YubiKey's that use AES-256 for the management key algorithm.
TDES, AES128, and AES192 all work, but using AES256 fails
Code to Reproduce
Changing the management key out for a TDES, AES128, or AES192 key works.
Verbose output:
Go 1.25.3, macOS 15.7.1, yubico-piv-tool 2.7.2, ykman 5.8.0
YubiKey 5 NFC FIPS firmware 5.4.3