From 30236ffbaaea83acadaf10f3337376a0affa22fc Mon Sep 17 00:00:00 2001
From: alex-nitrokey <alex@nitrokey.com>
Date: Tue, 30 Jun 2020 18:29:42 +0200
Subject: [PATCH 1/2] Delete AES keys of Nitrokey Storage after reset

If smartcard Nitrokey Storage was factory-reset, we delete AES keys on
it as well.

Explaination: After oem-factory-reset was started the AES on the Nitrokey Storage that is used for the encrypted volume and the password safe is is not usable anymore because the smart card was factory-reset. To make it usable, a user needs to delete it via Nitrokey App. By doing so, the HOTP secret is deleted as well, resulting in a bad warning in Heads. Therefore, we are resetting AES key right after factory-reset with hotp_verification
---
 initrd/bin/oem-factory-reset | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index f0707a0c..9db1c6ef 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -70,6 +70,10 @@ gpg_key_reset()
         ERROR=`cat /tmp/gpg_card_edit_output`
         whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR"
     fi
+    # If NK Storage is inserted, reset AES keys as well
+    if [ ! $(lsusb | grep -q "20a0:") ] &&  [ -x /bin/hotp_verification ] ; then
+	/bin/hotp_verification regenerate ${ADMIN_PIN_DEF}
+    fi
     # Generate OEM GPG keys
     {
         echo admin

From a224c430260f1f7c9e10aba59546d3a3bea6b8ae Mon Sep 17 00:00:00 2001
From: alex-nitrokey <alex@nitrokey.com>
Date: Wed, 5 Aug 2020 11:49:06 +0200
Subject: [PATCH 2/2] Add PID for Storage

---
 initrd/bin/oem-factory-reset | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 9db1c6ef..002e399d 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -70,9 +70,9 @@ gpg_key_reset()
         ERROR=`cat /tmp/gpg_card_edit_output`
         whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR"
     fi
-    # If NK Storage is inserted, reset AES keys as well
-    if [ ! $(lsusb | grep -q "20a0:") ] &&  [ -x /bin/hotp_verification ] ; then
-	/bin/hotp_verification regenerate ${ADMIN_PIN_DEF}
+    # If Nitrokey Storage is inserted, reset AES keys as well
+    if lsusb | grep -q "20a0:4109" &&  [ -x /bin/hotp_verification ] ; then
+        /bin/hotp_verification regenerate ${ADMIN_PIN_DEF}
     fi
     # Generate OEM GPG keys
     {