oem-factory-reset+seal-hotp nk3 hotp-verification info adaptations

- oem-factory-reset: fix strings for nk3 is from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 is Secrets app, not Secret App singular, not App capitalized - initrd/bin/seal-hotpkey: adapt to check nk3 Secrets App PIN counter if nk3, keep Card counters for <nk3 from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 - Unattended hotp_initialize output removed since we need physical presence to seal HOTP until https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed - Finally make seal_hotp use logic to detect if public key <1m old, use HOTP related PIN by default if counter is not <3, warn that re-ownership needs to be ran to change it since no security offered at all otherwise with HOTP - unify format with linting tool Tested in local tree against https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/43.patch, removing https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch - will revert the change above in PR once testing is over Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-03-13 07:54:34 +00:00 · 2024-12-06 09:48:28 -05:00 · 2024-12-06 09:48:28 -05:00 · ebf4d1d221
commit ebf4d1d221
parent 4fd710696e
2 changed files with 82 additions and 84 deletions
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -143,13 +143,15 @@ mount_boot() {
 reset_nk3_secret_app() {
 	TRACE_FUNC
-	# Reset Nitrokey 3 Secret App
+	# Reset Nitrokey 3 Secrets App
 	if lsusb | grep -q "20a0:42b2"; then
 		echo
-		echo "Resetting Nitrokey 3 Secret App PIN. Physical presence (touch) will be required"
+		warn "Resetting Nitrokey 3 Secrets App PIN. Physical presence (touch) will be required"
 		#TODO, change message when https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 		# Reset Nitrokey 3 secret app with PIN
-		/bin/hotp_verification reset "${ADMIN_PIN}"
+		if ! /bin/hotp_verification reset "${ADMIN_PIN}"; then
 			whiptail_error_die "Failed to reset Nitrokey 3 Secrets App with error code $?, contact Nitrokey support"
 		fi
 	fi
 }
@ -552,7 +554,6 @@ gpg_key_factory_reset() {
 		whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR"
 	fi
 	# If Nitrokey Storage is inserted, reset AES keys as well
 	if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ]; then
 		DEBUG "Nitrokey Storage detected, resetting AES keys..."
@ -1388,7 +1389,7 @@ fi
 #if nk3 detected, we add the NK3 Secre App PIN. Detect by product ID
 if lsusb | grep -q "20a0:42b2"; then
-	passphrases+="Nitrokey 3 Secret App PIN: ${ADMIN_PIN}\n"
+	passphrases+="Nitrokey 3 Secrets App PIN: ${ADMIN_PIN}\n"
 fi
 #GPG PINs output
@ -1403,7 +1404,6 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
 	passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
 fi
 # Show configured secrets in whiptail and loop until user confirms qr code was scanned
 while true; do
 	whiptail --msgbox "
--- a/initrd/bin/seal-hotpkey
+++ b/initrd/bin/seal-hotpkey
@ -8,8 +8,7 @@ HOTP_SECRET="/tmp/secret/hotp.key"
 HOTP_COUNTER="/boot/kexec_hotp_counter"
 HOTP_KEY="/boot/kexec_hotp_key"
-mount_boot()
+mount_boot() {
 {
 	TRACE_FUNC
 	# Mount local disk if it is not already mounted
 	if ! grep -q /boot /proc/mounts; then
@ -23,8 +22,7 @@ mount_boot()
 TRACE_FUNC
-fatal_error()
+fatal_error() {
 {
 	echo -e "\nERROR: ${1}; press Enter to continue."
 	read
 	# get lsusb output for debugging
@ -41,8 +39,8 @@ fi
 if [ "$CONFIG_TPM" = "y" ]; then
 	DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
-	tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
+	tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" ||
-		|| fatal_error "Unable to unseal HOTP secret"
+		fatal_error "Unable to unseal HOTP secret"
 else
 	# without a TPM, generate a secret based on the SHA-256 of the ROM
 	secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed"
@ -99,13 +97,19 @@ gpg_key_create_time="${gpg_key_create_time:-0}"
 DEBUG "Signature key was created at $(date -d "@$gpg_key_create_time")"
 now_date="$(date '+%s')"
-# Get the number of admin PIN retry attempts remaining
+# Get the number of HOTP related PIN retry attempts remaining
-awk_admin_counter_regex='/^\s*Card counters: Admin (\d),.*$/'
+# if nk3 detected by lsusb, use different regex to get admin counter
-awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_counter_regex"', "\\1", "") }'
+if lsusb | grep -q "20a0:42b2"; then
-admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
+	# Nitrokey 3: Secrets app PIN counter: 8
 	admin_pin_retries=$(echo "$hotp_token_info" | grep "Secrets app PIN counter:" | cut -d ':' -f 2 | tr -d ' ')
 	prompt_message="Secrets app"
 else
 	admin_pin_retries=$(echo "$hotp_token_info" | grep "Card counters: Admin" | cut -d ':' -f 2 | tr -d ' ')
 	prompt_message="GPG Admin"
 fi
 admin_pin_retries="${admin_pin_retries:-0}"
-DEBUG "Admin PIN retry counter is $admin_pin_retries"
+DEBUG "HOTP related PIN retry counter is $admin_pin_retries"
 #TODO: as per hotp_verification 1.6: this is 8 for nk3 and wrong. FIX
 # Try using factory default admin PIN for 1 month following OEM reset to ease
 # initial setup.  But don't do it forever to encourage changing the PIN and
@ -122,21 +126,15 @@ if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
 elif [ "$admin_pin_retries" -lt 3 ]; then
 	echo "Not trying default PIN ($admin_pin), only $admin_pin_retries attempt(s) left"
 else
-	hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
+	echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING... You may be requested to touch the dongle..."
 	#TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 	#hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
 	hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
 	admin_pin_status="$?"
 fi
 if [ "$admin_pin_status" -ne 0 ]; then
  # create custom message for PIN prompt based on nk3 lsusb product id
  prompt_message=""
  if lsusb | grep -q "20a0:42b2"; then
 	  prompt_message="Secure App"
  else
 	  prompt_message="GPG Admin"
  fi
 	# prompt user for PIN and retry
 	echo ""
 	read -s -p "Enter your $HOTPKEY_BRANDING $prompt_message PIN: " admin_pin
@ -151,7 +149,7 @@ if [ "$admin_pin_status" -ne 0 ]; then
 			# don't leak key on failure
 			shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
 			if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then
-	      fatal_error "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, the Nitrokey App 2 or contact Nitrokey support"
+				fatal_error "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, use the Nitrokey App 2 or contact Nitrokey support"
 			else
 				fatal_error "Setting HOTP secret failed"
 			fi
@ -159,7 +157,7 @@ if [ "$admin_pin_status" -ne 0 ]; then
 	fi
 else
 	# remind user to change admin password
-  echo -e "\nWARNING: default admin PIN detected: please change this as soon as possible."
+	warn "Factory $prompt_message default PIN detected: please change this PIN as soon as possible through OEM Factory Reset/User Re-Ownership"
 fi
 # HOTP key no longer needed
@ -173,13 +171,13 @@ shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
 mount -o remount,rw /boot
-counter_value=`expr $counter_value + 1`
+counter_value=$(expr $counter_value + 1)
-echo $counter_value > $HOTP_COUNTER \
+echo $counter_value >$HOTP_COUNTER ||
-|| fatal_error "Unable to create hotp counter file"
+	fatal_error "Unable to create hotp counter file"
 # Store/overwrite HOTP USB Security Dongle branding found out beforehand
-echo $HOTPKEY_BRANDING > $HOTP_KEY \
+echo $HOTPKEY_BRANDING >$HOTP_KEY ||
-|| die "Unable to store hotp key file"
+	die "Unable to store hotp key file"
 #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
 #|| die "Unable to create hotp counter file"