Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add reset command for nitrokey 3 #46

Merged
merged 4 commits into from
Dec 11, 2024
Merged

Add reset command for nitrokey 3 #46

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
45fb093
Add reset command for nitrokey 3
sosthene-nitrokey Nov 25, 2024
12ba32e
Add optional new pin when resetting
sosthene-nitrokey Dec 2, 2024
0bbc6ea
Fix null pointer bug on non nk3
sosthene-nitrokey Dec 3, 2024
0c5bd3d
Print warning when device is not an NK3
sosthene-nitrokey Dec 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions src/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

#include "ccid.h"
#include "operations.h"
#include "operations_ccid.h"
#include "return_codes.h"
#include "utils.h"
#include "operations_ccid.h"
Expand All @@ -40,8 +41,11 @@ void print_help(char *app_name) {
"\t%s check <HOTP CODE>\n"
"\t%s regenerate <ADMIN PIN>\n"
"\t%s set <BASE32 HOTP SECRET> <ADMIN PIN> [COUNTER]\n"
"\t%s nk3-change-pin <old-pin> <new-pin>\n",
app_name, app_name, app_name, app_name, app_name, app_name, app_name);
"\t%s nk3-change-pin <old-pin> <new-pin>\n"
"\t%s reset [ADMIN PIN]\n"
Copy link
Contributor

@tlaurion tlaurion Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be SECRET APP PIN or this should be readdressed in separate issues and PRs in another round?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean [SECRET APP PIN] ?

Copy link
Contributor

@tlaurion tlaurion Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean [SECRET APP PIN] ?

I restate that UX with many Admin PIN if no User PIN counterpart is misleading.

Yes, Secret App PIN. At least for everything exposed to user and Heads as output.

Admin /User PIN makes sense when one have power over the other which is not the case here and users continuously lost with which PIN is asked here for security dongle, where Heads can only reuse PIN to simplify things.

Secret app pin has counter of 6 for that reason as opposed to user/Admin PIN of gpg if I understood correctly.

Do you understand what I'm talking about for sake of less support requests and UX consistency and less user confusion?

Yes, secret app PIN here, for secure element's secret app PIN!= gpg OpenPGP smartcard's Admin PIN.

#46 (comment) referring to linuxboot/heads#1866 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I repeat

You proposed :

See also issue #36
Change this:


HOTP code verification application, version 1.6
Connected device status:
	Card serial: 0x7BE66C6C
	Firmware: v4.13
	Card counters: Admin 6, User 6
Operation success

To

HOTP code verification application, version 1.6
Connected device status:
	Card serial: 0x7BE66C6C
        Firmware Nitrokey 3: v1.7.1
	Firmware Secrets app: v4.13
	Secret app pin counters : Admin 6, User 6
Operation success

I proposed and restated:

Even more sensical: no secret app even named anywhere because there is none on non nk3(regression), so no version of non existing secret app, no secret app pin, just real information :

HOTP code verification application, version 1.7
Connected device status:
Card serial: 0x7BE66C6C
         Firmware Nitrokey 2: v1.7.1
OpenPGP smartcard PIN counters : Admin: 3, User: 3
Operation success

For nk3:

HOTP code verification application, version 1.7
Connected device status:
Card serial: 0x7BE66C6C
         Firmware Nitrokey 3: v1.7.1
         Firmware Secrets app: v4.13
Secret app PIN counter : 6
OpenPGP smartcard PIN counters : Admin: 3, User: 3
Operation success

Originally posted by @tlaurion in #38 (comment)

"\t%s regenerate\n"
"\t%s set <BASE32 HOTP SECRET> <ADMIN PIN> [COUNTER]\n",
app_name, app_name, app_name, app_name, app_name, app_name, app_name, app_name, app_name, app_name);
}


Expand Down Expand Up @@ -161,8 +165,13 @@ int parse_cmd_and_run(int argc, char *const *argv) {
}
break;
case 'r':
if (argc != 3) break;
res = regenerate_AES_key(&dev, argv[2]);
if (strncmp(argv[1], "reset", 15) == 0) {
if (argc != 2 && argc != 3) break;
res = nk3_reset(&dev, argc == 3 ? argv[2]: NULL);
} else if (strncmp(argv[1], "regenerate", 15) == 0) {
if (argc != 3) break;
res = regenerate_AES_key(&dev, argv[2]);
}
break;
default:
break;
Expand Down
53 changes: 53 additions & 0 deletions src/operations_ccid.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,59 @@
#include <string.h>



int nk3_reset(struct Device *dev, const char * new_pin) {
libusb_device *usb_dev;
struct libusb_device_descriptor usb_desc;

if (!dev->mp_devhandle_ccid) {
// Not an NK3
printf("No Nitrokey 3 found. No operation performed\n");
return RET_NO_ERROR;
}

usb_dev = libusb_get_device(dev->mp_devhandle_ccid);

int r = libusb_get_device_descriptor(usb_dev, &usb_desc);

if (r < 0) {
return r;
}


if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) {
printf("No Nitrokey 3 found. No operation performed\n");
return RET_NO_ERROR;
}


uint8_t buf[10];
// encode
uint32_t icc_actual_length = iso7816_compose(buf, sizeof buf, Ins_Reset, 0xDE, 0xAD, 0, 0, NULL, 0);

// encode ccid wrapper
icc_actual_length = icc_compose(dev->ccid_buffer_out, sizeof dev->ccid_buffer_out,
0x6F, icc_actual_length,
0, 0, 0, buf);
// send
IccResult iccResult;
r = ccid_process_single(dev->mp_devhandle_ccid, dev->ccid_buffer_in, sizeof dev->ccid_buffer_in,
dev->ccid_buffer_out, icc_actual_length, &iccResult);
if (r != 0) {
return r;
}
// check status code
if (iccResult.data_status_code != 0x9000) {
return 1;
}

if (new_pin != NULL) {
set_pin_ccid(dev, new_pin);
}

return RET_NO_ERROR;
}

int set_pin_ccid(struct Device *dev, const char *admin_PIN) {
TLV tlvs[] = {
{
Expand Down
4 changes: 4 additions & 0 deletions src/operations_ccid.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const c
int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify);
int status_ccid(libusb_device_handle *handle, struct FullResponseStatus *full_response);
int nk3_change_pin(struct Device *dev, const char *old_pin, const char*new_pin);
// new_pin can be `null`
//
// If it is, no new pin will be set
int nk3_reset(struct Device *dev, const char * new_pin);


#endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H
Loading