-
-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OEM Factory Reset / Re-Ownership should not permit custom passphrase <8 >20 characters #1167
Comments
Confused, since I made my tests previously by provisioning "Insurgo Open Technologies", which is 25 chars, so more then 20 but less then 32. Testing an old Librem Key here, so that might be linked to an older firmware version.
So this seems to be linked to an old firmware limitation? |
Also present in firmware 0.11... |
So I confirm that on firmware versions as early as 0.9 to latest in my possession, 25 chars works at sealing HOTP secret, but not with 26 chars. This is why my tests with "Insurgo Open Technologies" (25 chars) worked. And why "strongman preflight blouse" (26 chars) doesn't.... Messy. @MrChromebox @jans23 @daringer @szszszsz : plan of action? We limit custom passphrase and GPG PINs to <=25 chars? |
…hars which would fail HOTP sealing Fixes linuxboot#1167 Circumvents Nitrokey/nitrokey-app#223 Adds validation so usr cannot enter GPG User PIN > 64 while we are at it. Note that GPG PINs can be up to 64 characters. But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.
…hars which would fail HOTP sealing Fixes linuxboot#1167 Circumvents Nitrokey/nitrokey-pro-firmware#32 Adds validation so user cannot enter GPG User PIN > 64 while we are at it. Note that GPG PINs can be up to 64 characters. But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars. Edit: change upstream error to firmware issue, not nitrokey-app.
…hars which would fail HOTP sealing Fixes linuxboot#1167 Circumvents Nitrokey/nitrokey-pro-firmware#32 Adds validation so user cannot enter GPG User PIN > 64 while we are at it. Note that GPG PINs can be up to 64 characters. But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars. Edit: change upstream error to firmware issue, not nitrokey-app.
…hars which would fail HOTP sealing Fixes linuxboot/heads#1167 Circumvents Nitrokey/nitrokey-pro-firmware#32 Adds validation so user cannot enter GPG User PIN > 64 while we are at it. Note that GPG PINs can be up to 64 characters. But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars. Edit: change upstream error to firmware issue, not nitrokey-app.
Since Nitrokey / Librem Key firmware doesn't support it
Additionally, Admin/User PINs should also be consequently limited to not accept >20 chars.
OpenPGP Card supports PINs of max 32 characters, but firmware supports only 20 per HID packet size limitation per upstream bug Nitrokey/nitrokey-pro-firmware#32
@MrChromebox @jans23
The text was updated successfully, but these errors were encountered: