Change management key
This command is used to change the management key. The management key is required when adding or deleting credentials from the YubiHSM Auth application.
There is a limit of 8 attempts to authenticate with the management key before the management key is blocked. Once the management key is blocked, the application itself must be reset before authentication can be attempted again. To reset the application, see ResetApplicationCommand. Supplying the correct management key before the management key is blocked will reset the retry counter to 8.
Available
All YubiKeys with the YubiHSM Auth application (included in firmware version 5.4.3 and later).
Note
Use the .NET API's HasFeature() method to check if a key has the YubiHSM Auth application.
SDK classes
Input
This command takes in the current management key and the new management key. Each management key is a byte array with exactly 16 bytes.
The default value of the management key is all zeros:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Output
None.
Command APDU
| CLA | INS | P1 | P2 | Lc | Data | Le |
|---|---|---|---|---|---|---|
| 00 | 08 | 00 | 00 | 20 | See section below | (absent) |
Data
The data field is a byte array formatted as a pair of TLVs representing the current and new management keys. Both TLV elements have the same tag and must be arranged in the following order:
| Order | Meaning | Tag | Size (bytes) |
|---|---|---|---|
| 1 | Current management key | 0x7b | 16 |
| 2 | New management key | 0x7b | 16 |
Response APDU
The data field is always empty. On success, the status word will be 0x90 0x00. If there was a failure, further information may be communicated in the status word.
Total Length: 2\
| Data | SW1 | SW2 |
|---|---|---|
| (no data) | 90 | 00 |
Common failure status words
| Value | Meaning |
|---|---|
| 0x6983 | A credential with that label already exists |
| 0x63c# | Wrong management key, where # is the number of attempts remaining (a maximum of 8) |
| 0x6a80 | Wrong syntax |