[Gnuk-users] Can't change pin on FST-01 - "general error"

NIIBE Yutaka gniibe at fsij.org
Thu Dec 8 23:47:07 UTC 2016


Duncan Guthrie <dguthrie at posteo.net> writes:
> I insert the device in my computer, and run "gpg --card-edit". I then
> type "admin" to enable more privileged commands, and select
> "passwd". I then select option 2, "unblock PIN", as directed by this
> page, https://wiki.debian.org/Smartcards/OpenPGP, under the section
> "initialising the smartcard". I am prompted for the admin PIN, which
> is left as default and this is accepted.
>
> However, any PIN I type in to change the PIN is always rejected, with
> the generic error message " general error".  Selecting the other
> options, such as "change PIN", yields the same result, albeit this
> option does not ask for the admin PIN, but the regular default PIN.

Sorry for your inconvenience.

This is the behaviour of Gnuk 1.2.  Changing user PIN is only possible
when private keys are installed (at least one key).  I should address
about this incompatible change more clearly.

In Gnuk 1.0, user PIN information (hashed PIN) is recorded onto the
flash ROM on MCU until three private keys are registered.  So, it is
possible for Gnuk 1.0 to change user PIN with no private key.  On the
other hand, Gnuk 1.0 doesn't allow overriding key import (user needs to
delete keys by Gnuk specific tool, before installing new private key).

In Gnuk 1.2, user PIN information is never recorded onto the flash ROM.
Authentication is done if encrypted private key can be successfully
decoded (or not).

This breakage was introduced because I thought it is important to
support the use case with only one private key or two private keys
securely, allowing overriding key import.

In Gnuk 1.0, I assumed that all users install three private keys onto
OpenPGPcard.  I realized that there are many users who don't so.

Please stand with the factory setting of initial user PIN of 123456
until you install private keys (or generate them on token).  And only
after installing pravete keys, change user PIN.

I know that developers should avoid this kind of breakage which needs to
change how user uses the software/device.  I tried to avoid, but I
couldn't find any good solution with no breakage.  Then, my choice was
(possibly acceptable) small breakage at the initial interaction, in
order to fix major security flaw in some known use cases.

Well, let me explan the possible risk of Gnuk 1.0.  When a user only
install less than three private keys (one or two), the token has no
protection of private key(s) against invasive physical attacks to MCU.

> Also of significance is that when running the tests in the " test"
> directory, these are all successful, however, in "tests" I get the
> following error:

Thanks for your report.  This is not related to the error you got.

> ============================= test session starts ============================== platform linux -- Python 3.4.2 -- py-1.4.25 -- pytest-2.6.3 collected 98 items test_empty_card.py E ==================================== ERRORS ==================================== _________________________ ERROR at setup of test_login _________________________ pytest.fixture functions cannot use ``yield``. Instead write and return an inner function/generator and let the consumer call and iterate over it.: @pytest.fixture(scope="session") def card(): print() print("Test start!") reader = get_ccid_device() print("Reader:", reader.get_string(1), reader.get_string(2)) card = OpenPGP_Card(reader) card.cmd_select_openpgp() yield card del card /home/user/gnuk/tests/conftest.py:9 !!!!!!!!!!!!!!!!!!!! Interrupted: stopping after 1 failures !!!!!!!!!!!!!!!!!!!! =========================== 1 error in 0.09 seconds ============================ 

I guess that this is due to version difference of PyTest or Python.
I'll check the error and I will fix as this kind error suggested.
-- 



More information about the gnuk-users mailing list