Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OEM Factory Reset / Re-Ownership should not permit custom passphrase <8 >20 characters #1167

Closed
tlaurion opened this issue Jun 2, 2022 · 3 comments · Fixed by #1168
Closed

OEM Factory Reset / Re-Ownership should not permit custom passphrase <8 >20 characters #1167

tlaurion opened this issue Jun 2, 2022 · 3 comments · Fixed by #1168

Comments

@tlaurion
Copy link
Collaborator

tlaurion commented Jun 2, 2022
edited
Loading

Since Nitrokey / Librem Key firmware doesn't support it

Additionally, Admin/User PINs should also be consequently limited to not accept >20 chars.

OpenPGP Card supports PINs of max 32 characters, but firmware supports only 20 per HID packet size limitation per upstream bug Nitrokey/nitrokey-pro-firmware#32

@MrChromebox @jans23
@tlaurion
Copy link
Collaborator Author

tlaurion commented Jun 2, 2022
edited
Loading

Confused, since I made my tests previously by provisioning "Insurgo Open Technologies", which is 25 chars, so more then 20 but less then 32. Testing an old Librem Key here, so that might be linked to an older firmware version.

gpg --card-status shows Version 3.3 and Max. PIN lengths of 64.
hotp_verification info shows Firmware v0.10 on that USB Security dongle...

So this seems to be linked to an old firmware limitation?
Custom passphrase at OEM Factory Reset was "strongman preflight blouse" which was 26 chars.

Result on HOTP sealing:
signal-2022-06-02-113225

@tlaurion
Copy link
Collaborator Author

tlaurion commented Jun 2, 2022

Also present in firmware 0.11...

@tlaurion tlaurion mentioned this issue Jun 2, 2022
Open
@tlaurion
Copy link
Collaborator Author

tlaurion commented Jun 2, 2022
edited
Loading

So I confirm that on firmware versions as early as 0.9 to latest in my possession, 25 chars works at sealing HOTP secret, but not with 26 chars.

This is why my tests with "Insurgo Open Technologies" (25 chars) worked. And why "strongman preflight blouse" (26 chars) doesn't.... Messy.

@MrChromebox @jans23 @daringer @szszszsz : plan of action? We limit custom passphrase and GPG PINs to <=25 chars?

tlaurion added a commit to tlaurion/heads that referenced this issue Jun 2, 2022
@tlaurion
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 c…
92804db 
…hars which would fail HOTP sealing

Fixes linuxboot#1167
Circumvents Nitrokey/nitrokey-app#223
Adds validation so usr cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.
@tlaurion tlaurion mentioned this issue Jun 2, 2022
Merged
tlaurion added a commit to tlaurion/heads that referenced this issue Jun 2, 2022
@tlaurion
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 c…
32e7031 
…hars which would fail HOTP sealing

Fixes linuxboot#1167
Circumvents Nitrokey/nitrokey-pro-firmware#32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
Asiderr pushed a commit to 3mdeb/heads that referenced this issue Jun 14, 2022
@tlaurion
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 c…
4be24ce 
…hars which would fail HOTP sealing

Fixes linuxboot#1167
Circumvents Nitrokey/nitrokey-pro-firmware#32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
root-hardenedvault pushed a commit to hardenedvault/vaultboot that referenced this issue Jun 27, 2022
@tlaurion @root-hardenedvault
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 c…
f6a4ed2 
…hars which would fail HOTP sealing

Fixes linuxboot/heads#1167
Circumvents Nitrokey/nitrokey-pro-firmware#32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@tlaurion