ykman openpgp access change-admin-pin accepts PIN that is too long

[michaeljmarshall]

• YubiKey Manager (ykman) version: YubiKey Manager (ykman) version: 5.0.1
• How was it installed?: homebrew
• Operating system and version: MacOS
• YubiKey model and version: YubiKey 5C NFC and 5.4.3
• Bug description summary: The CLI tool accepted a string that was too long for my openpgp admin password and silently truncated it to the correct length.

Steps to reproduce

1. Run ykman openpgp access change-admin-pin
2. Enter a PIN more than 63 characters long.
3. Observe that the PIN is accepted.
4. Attempt to use yubikey with another tool (in my case GPG Keychain), and find that the PIN you entered does not actually work.

Expected result

In the steps above, I would have expected step 2 to fail and tell me that my PIN was not accepted because it is too long.

Actual results and logs

The truncated password was accepted, so what I thought was my PIN was not actually my PIN.

Other info

This documentation suggestions PINs cannot be longer than 63 characters: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs.

[dainnilsson]

Sorry for taking so long on this. I've tried to reproduce this, but haven't been able to. The documentation you've linked to is specifically for FIDO2 PIN's and does not apply to OpenPGP. For OpenPGP the max length of a PIN (on a YubiKey) is 127 characters. Attempting to set a PIN longer than 127 characters using ykman results in an error. Other than the error not being very clear (this will be fixed in the next version of ykman), it seems to be behaving as expected.

[dainnilsson]

Update: I did notice that GPG is refusing to accept any PIN longer than 99 characters, making a longer PIN practically unusable. This would be a limitation in GPG though, not in ykman or the YubiKey.

[dainnilsson]

The latest release of ykman (5.3.0) now produces a more descriptive error if you attempt to set a PIN that is too long (longer than 127 characters).