Attestation cert failure when generating key locally

[tmb]

Hey folks,

I generated an ECDSA 256 key + certificate locally and added them to my Yubikey. Now, when trying to use yubikey-agent, I get this error: failed to prepare private key: get attestation cert: data object or application not found

I assume this has something to do with my key not being generated on-device. Is there any way to get around this?

Thanks.

[FiloSottile]

The attestation certificate is necessary to extract the PIN policy of the slot. If there is a way to obtain it for imported keys, you should open an issue or PR with piv-go. If not, the best we can do is hardcode it, and it's unclear to what value.

Note that imported keys are not officially supported.

[joeyberkovitz]

@FiloSottile - would you be open to a command line flag to override the PIN policy? That way if the user imported a key, or is using an old Yubikey where piv-go is forced to assume PINPolicyAlways, the user can specify what the actual PIN policy is.

Based on a quick look through, the only change would be getting the flag value into main.go:signers() under piv.KeyAuth

If you think that's reasonable, I'd be happy to submit a PR for that