[Gnuk-users] gnuk-users Digest, Vol 71, Issue 4
Srinivas V
vsrinu26f at gmail.com
Sun Dec 18 12:32:03 UTC 2016
Note I use one neug and one gnuk to ensure good gpg session keys.
Does gnuk or nitro use their own rng or do they use pc OS rng?
Thank you
Srinivas
> On Dec 18, 2016, at 3:19 AM, gnuk-users-request at lists.alioth.debian.org wrote:
>
> Send gnuk-users mailing list submissions to
> gnuk-users at lists.alioth.debian.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
> or, via email, send a message with subject or body 'help' to
> gnuk-users-request at lists.alioth.debian.org
>
> You can reach the person managing the list at
> gnuk-users-owner at lists.alioth.debian.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of gnuk-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Upgrading gnuk on a nitrokey start (Remy van Elst)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 18 Dec 2016 10:18:43 +0100
> From: Remy van Elst <relst at relst.nl>
> To: "Jan Suhr | Nitrokey" <jan at nitrokey.com>
> Cc: Gnuk and NeuG <gnuk-users at lists.alioth.debian.org>
> Subject: Re: [Gnuk-users] Upgrading gnuk on a nitrokey start
> Message-ID:
> <CABcRdyR1WejuCtG_dGEpXLgFATmnU68epkjWLvRSy1kK+LhU1g at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Well, it seems to work without issues on the nitrokeys I upgraded earlier
> via DFU, but it still bricks my only non-borked non-upgraded Nitrokey start:
>
> Before upgrade (my only non-bricked nitrokey still in the original case):
>
> $ gpg --card-status
> Reader ...........: 20A0:4211:FSIJ-1.0.4-52FF6C06:0
> Application ID ...: D276000124010200FFFE52FF6C060000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 52FF6C06
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
> $ python2 usb_strings.py
> Device:
> Vendor: Nitrokey
> Product: Nitrokey Start
> Serial: FSIJ-1.0.4-52FF6C06
> Revision: release/1.0.4-6-g739e00e
> Config:
> NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
> Sys: 1.0
>
>
>
>
> Upgrade fails:
>
> n python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
> ../src/build/gnuk.bin
> ../regnual/regnual.bin: 4372
> ../src/build/gnuk.bin: 110592
> CRC32: f3fafa79
>
> Device:
> Configuration: 1
> Interface: 0
> 20001400:20004a00
> Downloading flash upgrade program...
> start 20001400
> end 20002500
> Run flash upgrade program...
> Waiting for device to appear:
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> - Wait 1 seconds...
> ^CTraceback (most recent call last):
> File "./upgrade_by_passwd.py", line 134, in <module>
> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
> File "./upgrade_by_passwd.py", line 75, in main
> time.sleep(wait_e)
> KeyboardInterrupt
>
>
>
> Nitrokey blinks, green light.
>
> The ealier-upgraded versions do work:
>
> Before upgrade (Nitrokey start key upgraded via DFU):
>
> $ gpg --card-status
> Reader ...........: 20A0:4211:FSIJ-1.2.1-87042430:0
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
>
> $ python2 usb_strings.py
> Device:
> Vendor:
> Product: Nitrokey
> Serial: FSIJ-1.2.1-87042430
> Revision: release/1.2.1-1-g2b784cb-modified
> Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
> Sys: 3.0
>
>
>
> Upgrade:
>
>
>
> ../regnual/regnual.bin: 4372
> ../src/build/gnuk.bin: 110592
> CRC32: f3fafa79
>
> Device:
> Configuration: 1
> Interface: 0
> 20002800:20005000
> Downloading flash upgrade program...
> start 20002800
> end 20003900
> Run flash upgrade program...
> Waiting for device to appear:
> - Wait 1 seconds...
> Device:
> 08001000:08020000
> Downloading the program
> start 08001000
> end 0801b000
> Resetting device
> Update procedure finished
>
>
>
> After upgrade:
>
> $ python2 usb_strings.py
> Device:
> Vendor: Nitrokey
> Product: Nitrokey Start
> Serial: FSIJ-1.2.2-87042430
> Revision: release/1.0.2-471-g1a76ab5
> Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
> Sys: 3.0
>
>
> $ gpg --card-status
> Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
>
>
> EC keys:
>
> [10:09:28] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
> (gnuk1.2-regnual-fix) ]
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 22 ed25519" /bye
> OK
>
> [10:09:31] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
> (gnuk1.2-regnual-fix) ]
> $ gpg --card-status
> Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: ed25519 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
> [10:09:33] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
> (gnuk1.2-regnual-fix) ]
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye
> OK
>
> [10:10:05] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
> (gnuk1.2-regnual-fix) ]
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 cv25519" /bye
> OK
>
>
> $ gpg --card-status
> Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: ed25519 cv25519 ed25519
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
>
>
>
>
> https://raymii.org
>
> On Fri, Dec 16, 2016 at 11:27 AM, Jan Suhr | Nitrokey <jan at nitrokey.com>
> wrote:
>
>> Hi Remy,
>>
>> we prepared a fix for regnual to enable updating a Nitrokey Start. It is
>> here: https://github.com/Nitrokey/nitrokey-start-firmware/tree/
>> gnuk1.2-regnual-fix
>>
>> Please let me know if it works for you.
>>
>> Best regards,
>> Jan
>>
>> Am 12.10.2016 19:50, schrieb Remy van Elst:
>>
>> I tried to do the update with the provided scripts, but that failed with
>> the same symptoms as before. The green LED keeps blinking, waiting a few
>> minutes doesn't give any progress and after reinsertion the Nitrokey seems
>> to not do anything. A DFU flash fixes that.
>>
>> Before the upgrade
>>
>> $ python2 usb_strings.py
>> Device:
>> Vendor:
>> Product: Nitrokey
>> Serial: FSIJ-1.2.1-87042430
>> Revision: release/1.2.1-1-g2b784cb-modified
>> Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
>> Sys: 3.0
>>
>>
>> Running the update:
>>
>> $ python2 upgrade_by_passwd.py -f ../regnual/regnual.bin
>> ../src/build/gnuk.bin
>> ../regnual/regnual.bin: 4412
>> ../src/build/gnuk.bin: 110592
>> CRC32: 303d2f62
>>
>> Device:
>> Configuration: 1
>> Interface: 0
>> 20002800:20005000
>> Downloading flash upgrade program...
>> start 20002800
>> end 20003900
>> Run flash upgrade program...
>> Wait 1 seconds...
>> Wait 1 seconds...
>> Wait 1 seconds...
>> [...] #repeats until cancelled
>>
>> ^CTraceback (most recent call last):
>> File "upgrade_by_passwd.py", line 130, in <module>
>> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
>> File "upgrade_by_passwd.py", line 73, in main
>> time.sleep(wait_e)
>> KeyboardInterrupt
>>
>>
>>
>>
>> dmesg output during the update:
>>
>> [ 2464.228628] usb 2-1.2: USB disconnect, device number 4
>> [ 2468.101333] usb 1-1.1: new full-speed USB device number 3 using
>> ehci-pci
>> [ 2541.541385] usb 1-1.1: USB disconnect, device number 3
>> [ 2542.831257] usb 1-1.1: new full-speed USB device number 4 using
>> ehci-pci
>> [ 2554.745022] usb 1-1.1: USB disconnect, device number 4
>> [ 2557.543186] usb 1-1.1: new full-speed USB device number 5 using
>> ehci-pci
>>
>>
>>
>>
>>
>>
>>
>> https://raymii.org
>>
>>> On Wed, Oct 12, 2016 at 1:38 PM, Jan Suhr <jan at nitrokey.com> wrote:
>>>
>>> Hi Remy,
>>>
>>> I understand your Nitrokey Start is flashed with latest Gnuk 1.2 but I'm
>>> curious if regnual would work from now on or not. Did you try to update
>>> Gnuk 1.2 via regnual? (Perhaps "update" to the same Gnuk version just for
>>> the sake of testing it.)
>>>
>>> Regards,
>>> Jan
>>>
>>>
>>> Am 11.10.2016 17:33, schrieb Remy van Elst:
>>>
>>> Small update,
>>>
>>> I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.
>>>
>>> I hot-air desoldered an USB header from an old motherboard in the e-waste
>>> bin and used the standard USB pinout, which suprisingly, worked. (
>>> https://i.imgur.com/PQ7QG2B.png).
>>>
>>> The stm32flash tool was unable to remove the flash protection:
>>>
>>> $ sudo stm32flash -u /dev/ttyUSB0
>>> stm32flash 0.5
>>>
>>> http://stm32flash.sourceforge.net/
>>>
>>> Interface serial_posix: 57600 8E1
>>> Version : 0x22
>>> Option 1 : 0x00
>>> Option 2 : 0x00
>>> Device ID : 0x0410 (STM32F10xxx Medium-density)
>>> - RAM : 20KiB (512b reserved by bootloader)
>>> - Flash : 128KiB (size first sector: 4x1024)
>>> - Option RAM : 16b
>>> - System RAM : 2KiB
>>> Write-unprotecting flash
>>> Got NACK from device on command 0x73
>>> Done.
>>>
>>> so I had to use the Windows ST Demo loader tool. It worked, and I'm able
>>> to flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one,
>>> another one). That seems to work so far:
>>>
>>>
>>>
>>> $ gpg --card-status
>>>
>>> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00
>>> 00
>>> Application ID ...: D276000124010200FFFE870424300000
>>> Version ..........: 2.0
>>> Manufacturer .....: unmanaged S/N range
>>> Serial number ....: 87042430
>>> Name of cardholder: [not set]
>>> Language prefs ...: [not set]
>>> Sex ..............: unspecified
>>> URL of public key : [not set]
>>> Login data .......: [not set]
>>> Signature PIN ....: forced
>>> Key attributes ...: rsa2048 rsa2048 rsa2048
>>> Max. PIN lengths .: 127 127 127
>>> PIN retry counter : 3 3 3
>>> Signature counter : 4
>>> Signature key ....: 3D1B 8501 882B EA0D D813 6CAC 1437 62A5 87BD 54FE
>>> created ....: 2016-10-11 15:06:29
>>> Encryption key....: 9898 208B 7876 4F65 A06E 3E65 637A 80D6 31D5 21C2
>>> created ....: 2016-10-11 15:06:29
>>> Authentication key: 2141 3E30 8EFF F2D0 FB3D 4C9E DA3D F5B9 7130 1532
>>> created ....: 2016-10-11 15:06:29
>>> General key info..: pub rsa2048/0x143762A587BD54FE 2016-10-11 Remy
>>> test (Test gnuk1.2) <remy at test.nl>
>>> sec> rsa2048/0x143762A587BD54FE created: 2016-10-11 expires:
>>> 2016-10-18
>>> card-no: FFFE 87042430
>>> ssb> rsa2048/0xDA3DF5B971301532 created: 2016-10-11 expires:
>>> 2016-10-18
>>> card-no: FFFE 87042430
>>> ssb> rsa2048/0x637A80D631D521C2 created: 2016-10-11 expires:
>>> 2016-10-18
>>> card-no: FFFE 87042430
>>>
>>>
>>>
>>> After flashing it with the Windows tool, stm32flash does work:
>>>
>>>
>>>
>>> $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
>>> stm32flash 0.5
>>>
>>> http://stm32flash.sourceforge.net/
>>>
>>> Using Parser : Raw BINARY
>>> Interface serial_posix: 57600 8E1
>>> Version : 0x22
>>> Option 1 : 0x00
>>> Option 2 : 0x00
>>> Device ID : 0x0410 (STM32F10xxx Medium-density)
>>> - RAM : 20KiB (512b reserved by bootloader)
>>> - Flash : 128KiB (size first sector: 4x1024)
>>> - Option RAM : 16b
>>> - System RAM : 2KiB
>>> Write to memory
>>> Erasing memory
>>> Wrote address 0x0801b000 (100.00%) Done.
>>>
>>> Starting execution at address 0x08000000... done.
>>>
>>> I can also place an ecc 25519 key on the device:
>>>
>>> $ gpg --card-status
>>>
>>> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00
>>> 00
>>> Application ID ...: D276000124010200FFFE870424300000
>>> Version ..........: 2.0
>>> Manufacturer .....: unmanaged S/N range
>>> Serial number ....: 87042430
>>> Name of cardholder: [not set]
>>> Language prefs ...: [not set]
>>> Sex ..............: unspecified
>>> URL of public key : [not set]
>>> Login data .......: [not set]
>>> Signature PIN ....: forced
>>> Key attributes ...: ed25519 rsa2048 rsa2048
>>> Max. PIN lengths .: 127 127 127
>>> PIN retry counter : 3 3 3
>>> Signature counter : 0
>>> Signature key ....: 3678 F2EE 1CCB 4B24 B107 38BA 101D 491F 08E7 FD60
>>> created ....: 2016-10-11 15:31:27
>>> Encryption key....: [none]
>>> Authentication key: [none]
>>> General key info..: pub ed25519/0x101D491F08E7FD60 2016-10-11 test
>>> remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
>>> sec> ed25519/0x101D491F08E7FD60 created: 2016-10-11 expires:
>>> 2016-10-18
>>> card-no: FFFE 87042430
>>>
>>>
>>> Yay!
>>>
>>>
>>>
>>>
>>> https://raymii.org
>>>
>>>> On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>>>>
>>>> Hello, Jan,
>>>>
>>>>> On 09/16/2016 05:38 PM, Jan Suhr wrote:
>>>>> Nitrokey Start hardware is based on FST-01. In particular the MCU is
>>>>> identical. The main differences are:
>>>>> - No external flash
>>>>> - Different pinning. See:
>>>>> https://github.com/Nitrokey/nitrokey-start-firmware/commit/c
>>>> 98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
>>>>>
>>>>> Do you think the different pinning may be a cause for the update issue?
>>>>
>>>> Thanks for the pointer.
>>>>
>>>> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>>>>
>>>> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commi
>>>> tdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dc
>>>> fff83898ff6b8568bf24c6fe90deaa9c
>>>>
>>>> I had thought that it's because of revision change of hardware. If it
>>>> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
>>>> well with upgrade through USB.
>>>>
>>>> One of my friends kindly showed me the board of Nitrokey Start.
>>>> I also examined the KiCAD schematic of:
>>>>
>>>> https://github.com/Nitrokey/nitrokey-pro-hardware
>>>>
>>>> Well, examining schematic is not that easy, even for such a simple
>>>> one.
>>>>
>>>> PA9 and PA10 is connected to USB-D- and USB-D+. And with the
>>>> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
>>>> PA10 is pulled up by Vdd. I think that this interferes the USB
>>>> shutdown and re-enumeration process of USB upgrade.
>>>>
>>>> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
>>>> better.
>>>> --
>>>>
>>>> _______________________________________________
>>>> gnuk-users mailing list
>>>> gnuk-users at lists.alioth.debian.org
>>>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>>>
>>>
>>> _______________________________________________
>>> gnuk-users mailing list
>>> gnuk-users at lists.alioth.debian.org
>>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>>
>>>
>>> _______________________________________________
>>> gnuk-users mailing list
>>> gnuk-users at lists.alioth.debian.org
>>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>>
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161218/23653a62/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
>
> ------------------------------
>
> End of gnuk-users Digest, Vol 71, Issue 4
> *****************************************
More information about the gnuk-users
mailing list