Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hotp version v1.6 #1684

Merged
merged 2 commits into from
May 30, 2024
Merged

Hotp version v1.6 #1684

merged 2 commits into from
May 30, 2024

Conversation

nestire
Copy link
Contributor

@nestire nestire commented May 21, 2024

This is needed to get the nitrokey 3 with 1.7.1 firmware to work on heads.

The Error Message is there to make the user aware that resetting the admin pin of the secrets app in the NK 3 Firmware is currently only possible with nitropy and the Nitrokey App 2 and not within heads.

Tested on:
NV41Nitropad : NK3 1.6; NK 1.7.1; NK Storage; NK Pro

nestire added 2 commits May 21, 2024 17:03
Signed-off-by: nestire <hannes@nitrokey.com>
Signed-off-by: nestire <hannes@nitrokey.com>
@nestire nestire force-pushed the hotp-version-v1.6 branch from 7c8fb5c to ea05b1e Compare May 21, 2024 15:03
@tlaurion
Copy link
Collaborator

tlaurion commented May 21, 2024

Ok. Replicating as end user.

First step upgrading the nk3 firmware

https://github.com/Nitrokey/nitrokey-3-firmware lands to https://docs.nitrokey.com/nitrokey3/ lands to nowhere for clear instructions.

Going back to https://github.com/Nitrokey/nitrokey-3-firmware to land at https://github.com/Nitrokey/nitrokey-3-firmware/releases/tag/v1.7.0 to realise 1.7.1 is not official.

Ok, info not pointed out from nitrokey-3-firmware to nitropy we expect the user to be advanced and already having updated the firmware before.

Nitropy

https://github.com/Nitrokey/pynitrokey and nitropy don't have the same name.

Landing at https://docs.nitrokey.com/nitrokey3/ again.

going back to README.md

pipx install pynitrokey

Nothing tells me how to install pipx

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update
Command line tool to interact with Nitrokey devices 0.4.40
Critical error:
An unhandled exception occurred
	Exception encountered: LibraryNotFoundError('Error detecting the version of libcrypto')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.utvqe59f' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

Okok

landing at https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

hmm will update to 1.7.1 but won't be able to downgrade. Okok

Landing to https://docs.nitrokey.com/software/nitropy/all-platforms/installation.html
Following the white rabbit to https://docs.nitrokey.com/software/nitropy/linux/udev

I end up having to type all the following for things to work

python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx inject --pip-args="--upgrade --force" pynitrokey "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"
pipx upgrade pynitrokey
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/
sudo chown root:root /etc/udev/rules.d/41-nitrokey.rules
sudo chmod 644 /etc/udev/rules.d/41-nitrokey.rules
sudo udevadm control --reload-rules && sudo udevadm trigger

Okok, crafting the version string to v.1.7.1
nitropy nk3 update --version v1.7.1

I'm under qubesos, so I guess I should know that switching to bootloader will change VID:PID and I have to reassign dongle back to testing qube

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 2.23MB/s]
Current firmware version:  v1.5.0
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y

Please press the touch button to reboot the device into bootloader mode ...

Critical error:
No Nitrokey 3 bootloader device found

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.4fse8lbo' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

I reassign dongle, retry:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 3.05MB/s]
Current firmware version:  [unknown]
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y
Critical error:
Failed to perform firmware update
	Exception encountered: SPSDKConnectionError()

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.dw2wsoh3' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

Can a guide be drafted so prerequites to testing this PR can replicated from Q4.2.1 from NK3 firmware 1.5.0 that refuses to upgrade to 1.7.1?
@nestire thanks!

@tlaurion
Copy link
Collaborator

tlaurion commented May 21, 2024

Ok, fine. Default user might want to wipe his dongle to upgrade. I would prefer not to, but this is replication of firmware upgrade here.

Let's do it

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 factory-reset-app secrets
Command line tool to interact with Nitrokey devices 0.4.47
Please touch the device to confirm the operation
Critical error:
Application Factory reset is not supported by the firmware version on the device
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 factory-reset
Command line tool to interact with Nitrokey devices 0.4.47
Please touch the device to confirm the operation
Critical error:
Factory reset is not supported by the firmware version on the device
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 version
Command line tool to interact with Nitrokey devices 0.4.47
v1.5.0

Hmm.

@nestire ?

EDIT: attached nitropy logs from latest availabe version applied from above command traces in previous comment.
nitropylogs.tar.gz

@tlaurion
Copy link
Collaborator

tlaurion commented May 21, 2024

The Error Message is there to make the user aware that resetting the admin pin of the secrets app in the NK 3 Firmware is currently only possible with nitropy and the Nitrokey App 2 and not within heads.

Will try the nitrokey app 2 path and open relative issues pointing here as well.

Following the white rabbit

https://github.com/Nitrokey/nitrokey-app2

Ok. Flatpak no debian packages. Stil lunder q4.2.1 here. I see macos instructions for pypi.

pypi path

landing on https://pypi.org/project/nitrokeyapp/

git clone https://github.com/Nitrokey/nitrokey-app2.git
cd nitrokey-app2
make init
make build
poetry shell
nitrokeyapp

okok

user@heads-tests-deb12-nix:~$ git clone https://github.com/Nitrokey/nitrokey-app2.git
cd nitrokey-app2
make init
make build
poetry shell
nitrokeyapp
Cloning into 'nitrokey-app2'...
remote: Enumerating objects: 9387, done.
remote: Counting objects: 100% (1771/1771), done.
remote: Compressing objects: 100% (698/698), done.
remote: Total 9387 (delta 1137), reused 1561 (delta 1012), pack-reused 7616
Receiving objects: 100% (9387/9387), 83.76 MiB | 14.90 MiB/s, done.
Resolving deltas: 100% (3518/3518), done.
Makefile:18: *** "No poetry in /home/user/.nix-profile/bin:/home/user/.local/bin:/home/user/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games".  Stop.
Makefile:18: *** "No poetry in /home/user/.nix-profile/bin:/home/user/.local/bin:/home/user/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games".  Stop.
bash: poetry: command not found
bash: nitrokeyapp: command not found

Ok instructions made as if I was a developer. Adding untold missing dependencies from instructions:
sudo apt install python3-poetry

Redoing

make init
make build
poetry shell
nitrokeyapp

Success. Landing under nitrokeyapp2

[...]
Installing the current project: nitrokeyapp (2.3.0)
poetry build
Building nitrokeyapp (2.3.0)
  - Building sdist
  - Built nitrokeyapp-2.3.0.tar.gz
  - Building wheel
  - Built nitrokeyapp-2.3.0-py3-none-any.whl
Spawning shell within /home/user/.cache/pypoetry/virtualenvs/nitrokeyapp-lgaYXzc2-py3.11
user@heads-tests-deb12-nix:~/nitrokey-app2$ . /home/user/.cache/pypoetry/virtualenvs/nitrokeyapp-lgaYXzc2-py3.11/bin/activate
(nitrokeyapp-py3.11) user@heads-tests-deb12-nix:~/nitrokey-app2$ nitrokeyapp
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: vkkhrdisplay, linuxfb, offscreen, eglfs, minimal, vnc, minimalegl, wayland-egl, wayland, xcb.

Aborted
(nitrokeyapp-py3.11) user@heads-tests-deb12-nix:~/nitrokey-app2$ 

Ok...

poetry shell
nitrokeyapp

So libxcb-cursor0 is missing. Redoing clean

sudo apt install python3-poetry libxcb-cursor0

poetry shell
nitrokeyapp

Same result but graphical and with less details as previous comment
2024-05-21-121916

Fails
2024-05-21-122037

@nestire
Copy link
Contributor Author

nestire commented May 22, 2024

Hi
regarding the update of the nitrokey in qubes see your ticket in the nitroapp 2 repro. We working on improving this.
Is there anything else that is needed for this to go trough?

@tlaurion
Copy link
Collaborator

tlaurion commented May 24, 2024

@daringer testing WiP processes including subthread answer at QubesOS/qubes-issues#8953 (comment).

Please make sure Nitrokey/nitrokey-documentation#248 can be followed by end users since this PR won't be merged before this happens.

@tlaurion
Copy link
Collaborator

@daringer you might want to investigate QubesOS/qubes-issues#6330 (comment)

@tlaurion
Copy link
Collaborator

tlaurion commented May 24, 2024

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.

Updates at QubesOS/qubes-issues#8953 (comment) down

@nestire
Copy link
Contributor Author

nestire commented May 27, 2024

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.

Updates at QubesOS/qubes-issues#8953 (comment) down

This is done by the hotp-verification if no pin is set see here https://github.com/Nitrokey/nitrokey-hotp-verification/blob/e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/src/operations_ccid.c#L105

If there is a pin already set, this likely means the user is using the secret app in the nk3. Because of that we don't wan't to reset this within heads but within nitropy/Nitrokey App 2., So they don't lose passwords and other hotp secrets accidentally.

@tlaurion
Copy link
Collaborator

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.
Updates at QubesOS/qubes-issues#8953 (comment) down

This is done by the hotp-verification if no pin is set see here https://github.com/Nitrokey/nitrokey-hotp-verification/blob/e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/src/operations_ccid.c#L105

If there is a pin already set, this likely means the user is using the secret app in the nk3. Because of that we don't wan't to reset this within heads but within nitropy/Nitrokey App 2., So they don't lose passwords and other hotp secrets accidentally.

perfect so I understand this sub-thread topic is to be followed until fixed:

Copy link
Collaborator

@tlaurion tlaurion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daringer please update referred tickets at #1684 (comment) and next comments.

@tlaurion
Copy link
Collaborator

Ideal would be to have packages to deploy under sys-usb and qubes associated templates to not go in such loops of workarounds for not so technical users to follow, aka debian and fedora repositories at least in quebesos testing repositories.

@nestire
Copy link
Contributor Author

nestire commented May 29, 2024

Related (not full list of issues, to be updated prior of merging

* [ ]  [Nitrokey 3C NFC not found in Nitropy in Bootloader mode Nitrokey/pynitrokey#543](https://github.com/Nitrokey/pynitrokey/issues/543)

this is a windows issue so not related here the other issues should be resolved with the fix in Qubes.

We working on packages for Qubes/Fedora and for Debian to make this process more user friendly, but this should not block this since this PR will also not break usage of nitrokey3 with an older firmware then 1.7.1

@tlaurion
Copy link
Collaborator

tlaurion commented May 29, 2024

Nitrokey/nitrokey-documentation#248 was merged. Retesting doc, will edit this reply

@tlaurion tlaurion self-requested a review May 29, 2024 21:39
@tlaurion tlaurion merged commit a8adfb5 into linuxboot:master May 30, 2024
40 checks passed
@tlaurion
Copy link
Collaborator

@nestire #1684 (comment) ping

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants