[Gnuk-users] GnuK 1.2.1 locked Admin PW
NIIBE Yutaka
gniibe at fsij.org
Thu Apr 6 01:07:39 UTC 2017
Hello,
I understand your frustration. I'm sorry for that.
> I'm considering buying a TIAO USB Multi-Protocol Adapter v2, so I can
> easily flash the firmware on the FST-01. But can this also be solved
> without an SWD interface?
In Gnuk 1.2.2 and later, it supports "Factory Reset" command as a
compile time option (for me, reluctantly). So, this "Factory Reset" can
be an option. But, it is 1.2.1, unfortunately.
The reason I did reluctantly is that it might invite another risk of
being stolen as a hardware (not as private key).
Peter Lebbing <peter at digitalbrains.com> wrote:
> How can I unlock it? I don't have a completely assembled SWD programmer
> yet. What I mean is, I have a TIAO USB Multi-Protocol Adapter v1. They
> added SWD support in v2. But it might be possible to coax this from v1
> as well with some wires or perhaps a transistor.
I think that if you have some experience with FTDI chip, you can use the
v1 adapter with wires and resistors (no transistor), perhaps, by
configuring OpenOCD. Once, I used the configuration of FTDI chip in
OpenOCD:
openocd/tcl/interface/ftdi/swd-resistor-hack.cfg
But, I recommend using working tool at first.
FYI: what I use (and I ask the manufacturer) is my own tool of BBG-SWD.
FST-01G Test Plan:
https://www.gniibe.org/memo/development/fst-01/fst-01g-testplan.html
> I wanted separate user and admin PINs. So first I changed the Admin PIN.
> That worked. Then I changed the user PIN. For some reason, I couldn't
> use either the new or the old PIN, and I locked it. I tried to unblock
> using the Admin PIN and later also a Reset Code, but got "Condition of
> use not satisfied" (SW1/SW2 = 6985). Upon reading some source code, I
> figured out this was because I didn't have any keys. I don't know why
> this is a condition, but it is, so...
I guess that original OpenPGP card implementation stores some
information of user PIN in the card. But for Gnuk, I try hard not to do
so, to lower the risk of possible attack reading out the content of
flash ROM. Gnuk 1.2 does validation of user PIN by successful
decryption of private key.
> Here I encountered a nice catch-22. If I used --card-edit generate, it
> would prompt for my User PIN! Well, it's blocked, sorry about that. So
> no "generate" for me. I did --edit-key some-RSA-2048-test-key and
> "keytocard", so I now had a key on there. Hooray, I could change the PIN.
>
> As an aside, I think this is a bit awkward. Want to unblock your PIN?
> Sure, generate some keys. Generate some keys? Please unblock your PIN
> first. This is pretty unfortunate and not a nice user experience. I can
> cope, I roll my eyes and do "keytocard", but somebody else might not
> know a way out. The basic issue is: *why* is GnuPG even asking for a
> user PIN? Section 7.2.13 of the OpenPGP Card Spec v3.0 says:
>
>> The command can only be used after correct presentation of
>> PW3 for the generation of a key pair.
>
> It says nothing about PW1 being needed.
I see your point.
I confirmed that GnuPG frontend asks PW1 when generating keys. I can
find the comment in g10/card-uti.c:
/* Check the PIN now, so that we won't get asked later for each
binding signature. */
It doesn't match Gnuk Token, as Gnuk Token resets PIN at key generation.
> Back to my issues. I got there, right? No. Any attempt to do something
> requiring the user PIN got me "PINs not synched" or similar message. I
> could not change the PINs. An unblock lead to "PINs not synched". As a
> final "let's try this then", I changed the Admin PIN without changing
> it. I typed my old PIN, and then my old PIN twice again.
I don't understand this paragraph. Could you please identify PINs by
PIN-Admin-old, PIN-Admin-new, PIN-user-factory, PIN-user-0, etc.?
> In addition to the blinking LED, it also shows this:
>
>> Reader ...........: 234B:0000:FSIJ-1.2.1-87061340:0
>> Application ID ...: D276000124010200FFFE870613400000
>> Version ..........: 2.0
>> Manufacturer .....: unmanaged S/N range
>> Serial number ....: 87061340
>> Name of cardholder: Peter Lebbing
>> Language prefs ...: en
>> Sex ..............: male
>> URL of public key : [not set]
>> Login data .......: [not set]
>> Signature PIN ....: not forced
>> Key attributes ...: rsa2048 rsa2048 rsa2048
>> Max. PIN lengths .: 127 127 127
>> PIN retry counter : 2 3 0
>> Signature counter : 0
>> Signature key ....: [none]
>> Encryption key....: 713F F089 6E52 73C8 7DD2 844F 1BD8 6BE8 3C3F 84D5
>> created ....: 2016-12-05 11:12:51
>> Authentication key: [none]
I think that you can decrypt by the user PIN of factory setting
"123456".
--
More information about the gnuk-users
mailing list