How do I unblock my key after several failed generate attempts?

[antifuchs]

Environment

• OS: macOS 13.3.1
• age-plugin-yubikey version: 0.4.0

What were you trying to do

I tried generating a key on a blank yubikey 5c nano.

What happened

I failed multiple times to correctly identify what the plugin was asking me to do (namely, enter the pin 123456), locking myself out:

:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (1 try remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --list-all
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

The attempts above, I failed to remember that it's not asking me the PIN for the GPG PIV app, but asks me to enter the default PIN. Oops.

So - how do I get it out of this state? I tried factory-resetting it with gpg --card-edit, which didn't work (and in retrospect can't do anything either, since they're different apps on the key).

[antifuchs]

I'm pretty sure this has happened to me at least once before, on a 4c nano - and I managed to recover from it? But I made no notes nor public bug reports that I can find, so .. help /:

[antifuchs]

And just like that, I remembered: You use the yubikey-manager, and with that, reset the PIV app:

:;    ykman piv info
PIV version:              5.4.3
PIN tries remaining:      0/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC:   No data available

:;    ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
	PIN:	123456
	PUK:	12345678
	Management Key:	010203040506070801020304050607080102030405060708

[str4d]

Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.

[antifuchs]

That's a great point! One more thing that I noticed is that ykman seems to be able to detect that the default PINs are in place:

$ ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC:   No data available

If it's possible for age-plugin-yubikey to see that too, I'd suggest changing the --generate logic to not even prompt for the default PIN and only ask for the new PIN instead.

[alan-strohm]

Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.

In case others find this, the way I got my three more attempts is via

ykman piv access unblock-pin