[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Wed Sep 7 18:54:24 UTC 2016
One of the nice things now is that I can put a 4096 bit key on the card,
yay:
$ gpg --card-status
Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
Application ID ...: D276000124010200FFFE870223260000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87022326
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0313 DBD0 D566 DC77 B512 6E29 7DE2 DB5D 739F B6A1
created ....: 2016-09-07 18:50:09
Encryption key....: A714 891F 3B61 0259 E777 195F 10DC C90E 0BA9 3D29
created ....: 2016-09-07 18:50:09
Authentication key: 0313 DBD0 D566 DC77 B512 6E29 7DE2 DB5D 739F B6A1
created ....: 2016-09-07 18:50:09
General key info..: pub rsa4096/0x7DE2DB5D739FB6A1 2016-09-07 fst01
121 test (test) <remy at remy.nl>
sec> rsa4096/0x7DE2DB5D739FB6A1 created: 2016-09-07 expires:
2016-10-07
card-no: FFFE 87022326
ssb> rsa4096/0x10DCC90E0BA93D29 created: 2016-09-07 expires:
2016-10-07
card-no: FFFE 87022326
Generating the key on the card fails however:
$ gpg --card-edit
Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
Application ID ...: D276000124010200FFFE870223260000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87022326
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
What keysize do you want for the Signature key? (4096)
What keysize do you want for the Encryption key? (4096)
What keysize do you want for the Authentication key? (4096)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Remy FST-01 test 4096
Email address: remy at example.com
Comment: yay 121
You selected this USER-ID:
"Remy FST-01 test 4096 (yay 121) <remy at example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key generation failed: Card error
Key generation failed: Card error
(I did try to generate the key on the card first, the placed the key on the
card.)
But still, very awesome :D
https://raymii.org
On Wed, Sep 7, 2016 at 8:27 PM, Remy van Elst <relst at relst.nl> wrote:
> I received the two FST_01's I ordered (without case, sadly) and it seems
> the upgrade via usb (password script) does work there, on my first try
> actually.
>
> The configure:
>
> ./configure --target=FST_01 --vidpid="234b:0000"
>
> Then the other regular make and for regnual the same.
>
> I was hoping it would fail on the FST_01 as well because that would mean
> it might be a hardware issue. But it seems it is actually an issue with the
> Nitrokey Start hardware. I'm still waiting for the STM devices, yay for
> long shipping.
>
> Before the upgrade:
>
> $ python2 usb_strings.py
> Device:
> Vendor: Free Software Initiative of Japan
> Product: FSIJ USB Token
> Serial: FSIJ-1.0.1-87022326
> Revision: release/1.0.1
> Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
> Sys: 1.0
>
> $ gpg --card-status
> Reader ...........: 234B:0000:FSIJ-1.0.1-87022326:0
> Application ID ...: D276000124010200FFFE870223260000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87022326
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
> Upgrade:
>
> $ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
> ../src/build/gnuk.bin
> ../regnual/regnual.bin: 4412
> ../src/build/gnuk.bin: 110592
> CRC32: 303d2f62
>
> Device:
> Configuration: 1
> Interface: 0
> 20001400:20004a00
> Downloading flash upgrade program...
> start 20001400
> end 20002500
> Run flash upgrade program...
> Wait 1 seconds...
> Device:
> 08001000:08020000
> Downloading the program
> start 08001000
> end 0801b000
>
> After the upgrade:
>
> $ python2 usb_strings.py
> Device:
> Vendor: Free Software Initiative of Japan
> Product: Gnuk Token
> Serial: FSIJ-1.2.1-87022326
> Revision: release/1.2.1-1-g2b784cb-modified
> Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=no
> Sys: 1.0
>
> dmesg during the upgrade and after:
>
> [ 294.977933] thinkpad_acpi: EC reports that Thermal Table has changed
> [ 726.481249] usb 1-1.1: new full-speed USB device number 3 using
> ehci-pci
> [ 1408.628722] usb 1-1.1: USB disconnect, device number 3
> [ 1412.817498] usb 2-1.2: new full-speed USB device number 4 using
> ehci-pci
> [ 1461.011520] usb 2-1.2: USB disconnect, device number 4
> [ 1464.014677] usb 2-1.2: new full-speed USB device number 5 using
> ehci-pci
> [ 1469.705384] usb 2-1.2: USB disconnect, device number 5
> [ 1469.893972] usb 2-1.2: new full-speed USB device number 6 using
> ehci-pci
>
>
> GPG still works:
>
> [20:20:18] [remy at gateway] [ ~ ]
> $ gpg --card-status
> Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
> Application ID ...: D276000124010200FFFE870223260000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87022326
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: [none]
>
>
> So now lets hope I get the bricked Nitrokeys working again with the STM
> device so that we can further debug them.
>
>
>
> https://raymii.org
>
> On Wed, Aug 24, 2016 at 3:51 AM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>
>> Hello,
>>
>> Thanks for further experiment with Nitrokey Start.
>>
>> On 08/24/2016 02:26 AM, Remy van Elst wrote:
>> > $ python2 ./upgrade_by_passwd.py ../regnual/regnual.bin
>> > ../src/build/gnuk.bin
>> > Admin password:
>> > ../regnual/regnual.bin: 4372
>> > ../src/build/gnuk.bin: 110592
>> > CRC32: 8d82b2df
>> >
>> > Device:
>> > Configuration: 1
>> > Interface: 0
>> > 20001400:20004a00
>> > Downloading flash upgrade program...
>> > start 20001400
>> > end 20002500
>> > Run flash upgrade program...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> > Wait 1 seconds...
>> >
>> >
>> > This goes on and on and on. Here's the dmesg output:
>> >
>> > dmesg -wH
>> > [ +2.755257] usb 1-1.1: new full-speed USB device number 4 using
>> ehci-pci
>> > [ +2.755257] usb 1-1.1: new full-speed USB device number 4 using
>> ehci-pci
>> > [ +17.034260] usb 1-1-port1: disabled by hub (EMI?), re-enabling...
>> > [ +0.000008] usb 1-1.1: USB disconnect, device number 4
>> > [ +0.188718] usb 1-1.1: new low-speed USB device number 5 using
>> ehci-pci
>> > [ +0.066661] usb 1-1.1: device descriptor read/64, error -32
>> > [ +0.170001] usb 1-1.1: device descriptor read/64, error -32
>> > [ +0.173339] usb 1-1.1: new low-speed USB device number 6 using
>> ehci-pci
>> > [ +0.066655] usb 1-1.1: device descriptor read/64, error -32
>> > [ +0.169995] usb 1-1.1: device descriptor read/64, error -32
>> > [ +0.173326] usb 1-1.1: new low-speed USB device number 7 using
>> ehci-pci
>> > [ +0.406782] usb 1-1.1: device not accepting address 7, error -32
>> > [ +0.069870] usb 1-1.1: new low-speed USB device number 8 using
>> ehci-pci
>> > [ +0.406659] usb 1-1.1: device not accepting address 8, error -32
>> > [ +0.000199] usb 1-1-port1: unable to enumerate USB device
>>
>> So, reGNUal doesn't work well on the device (USB does not work).
>>
>> > I also have ordered two FST-01 without case, to see if the upgrade works
>> > there. If that is the case, there might be a nitrokey issue. If not,
>> then I
>> > hope my STM adapter comes in soon to restore these devices and see if
>> the
>> > upgrade works via the stm.
>> >
>> > I still have the nitrokey plugged in, lights blinking. If someone has
>> some
>> > magic USB scripts or so, I'll leave it plugged in as long as it goes.
>>
>> I think that there is no way to recover, as USB seems not to be working.
>>
>> For your information, I show my session log with FST-01.
>>
>> I inserted FST-01 with Gnuk 1.0.1 on my PC.
>>
>> ========================================= my session log
>> $ pwd
>> /home/gniibe/work/gnuk-1.2.1
>> $ cd src
>> $ ./configure --vidpid=234b:0000
>> Header file is: board-fst-01.h
>> Debug option disabled
>> Configured for bare system (no-DFU)
>> PIN pad option disabled
>> CERT.3 Data Object is NOT supported
>> Card insert/removal by HID device is NOT supported
>> $ cd ..
>> $ lsusb -d 234b:0000 -v
>>
>> Bus 001 Device 004: ID 234b:0000
>> Device Descriptor:
>> bLength 18
>> bDescriptorType 1
>> bcdUSB 1.10
>> bDeviceClass 0 (Defined at Interface level)
>> bDeviceSubClass 0
>> bDeviceProtocol 0
>> bMaxPacketSize0 64
>> idVendor 0x234b
>> idProduct 0x0000
>> bcdDevice 2.00
>> iManufacturer 1 Free Software Initiative of Japan
>> iProduct 2 FSIJ USB Token
>> iSerial 3 FSIJ-1.0.1-50FF6E06
>> bNumConfigurations 1
>> Configuration Descriptor:
>> bLength 9
>> bDescriptorType 2
>> wTotalLength 86
>> bNumInterfaces 1
>> bConfigurationValue 1
>> iConfiguration 0
>> bmAttributes 0x80
>> (Bus Powered)
>> MaxPower 100mA
>> Interface Descriptor:
>> bLength 9
>> bDescriptorType 4
>> bInterfaceNumber 0
>> bAlternateSetting 0
>> bNumEndpoints 2
>> bInterfaceClass 11 Chip/SmartCard
>> bInterfaceSubClass 0
>> bInterfaceProtocol 0
>> iInterface 0
>> ChipCard Interface Descriptor:
>> bLength 54
>> bDescriptorType 33
>> bcdCCID 1.10 (Warning: Only accurate for version
>> 1.0)
>> nMaxSlotIndex 0
>> bVoltageSupport 1 5.0V
>> dwProtocols 2 T=1
>> dwDefaultClock 3571
>> dwMaxiumumClock 3571
>> bNumClockSupported 1
>> dwDataRate 9600 bps
>> dwMaxDataRate 9600 bps
>> bNumDataRatesSupp. 1
>> dwMaxIFSD 254
>> dwSyncProtocols 00000000
>> dwMechanical 00000000
>> dwFeatures 00020842
>> Auto configuration based on ATR
>> Auto parameter negotation made by CCID
>> Short APDU level exchange
>> dwMaxCCIDMsgLen 271
>> bClassGetResponse echo
>> bClassEnvelope echo
>> wlcdLayout none
>> bPINSupport 0
>> bMaxCCIDBusySlots 1
>> Endpoint Descriptor:
>> bLength 7
>> bDescriptorType 5
>> bEndpointAddress 0x81 EP 1 IN
>> bmAttributes 2
>> Transfer Type Bulk
>> Synch Type None
>> Usage Type Data
>> wMaxPacketSize 0x0040 1x 64 bytes
>> bInterval 0
>> Endpoint Descriptor:
>> bLength 7
>> bDescriptorType 5
>> bEndpointAddress 0x01 EP 1 OUT
>> bmAttributes 2
>> Transfer Type Bulk
>> Synch Type None
>> Usage Type Data
>> wMaxPacketSize 0x0040 1x 64 bytes
>> bInterval 0
>> Device Status: 0x0000
>> (Bus Powered)
>> $ cd tool
>> $ ./upgrade_by_passwd.py -f ../regnual/regnual.bin ../src/build/gnuk.bin
>> ../regnual/regnual.bin: 4428
>> ../src/build/gnuk.bin: 110592
>> CRC32: d746d12a
>>
>> Device:
>> Configuration: 1
>> Interface: 0
>> 20001400:20004a00
>> Downloading flash upgrade program...
>> start 20001400
>> end 20002500
>> Run flash upgrade program...
>> Wait 1 seconds...
>> Device:
>> 08001000:08020000
>> Downloading the program
>> start 08001000
>> end 0801b000
>> $ lsusb -d 234b:0000 -v
>>
>> Bus 001 Device 006: ID 234b:0000
>> Device Descriptor:
>> bLength 18
>> bDescriptorType 1
>> bcdUSB 1.10
>> bDeviceClass 0 (Defined at Interface level)
>> bDeviceSubClass 0
>> bDeviceProtocol 0
>> bMaxPacketSize0 64
>> idVendor 0x234b
>> idProduct 0x0000
>> bcdDevice 2.00
>> iManufacturer 1 Free Software Initiative of Japan
>> iProduct 2 Gnuk Token
>> iSerial 3 FSIJ-1.2.1-87061034
>> bNumConfigurations 1
>> Configuration Descriptor:
>> bLength 9
>> bDescriptorType 2
>> wTotalLength 93
>> bNumInterfaces 1
>> bConfigurationValue 1
>> iConfiguration 0
>> bmAttributes 0x80
>> (Bus Powered)
>> MaxPower 100mA
>> Interface Descriptor:
>> bLength 9
>> bDescriptorType 4
>> bInterfaceNumber 0
>> bAlternateSetting 0
>> bNumEndpoints 3
>> bInterfaceClass 11 Chip/SmartCard
>> bInterfaceSubClass 0
>> bInterfaceProtocol 0
>> iInterface 0
>> ChipCard Interface Descriptor:
>> bLength 54
>> bDescriptorType 33
>> bcdCCID 1.10 (Warning: Only accurate for version
>> 1.0)
>> nMaxSlotIndex 0
>> bVoltageSupport 1 5.0V
>> dwProtocols 2 T=1
>> dwDefaultClock 4000
>> dwMaxiumumClock 4000
>> bNumClockSupported 0
>> dwDataRate 9600 bps
>> dwMaxDataRate 9600 bps
>> bNumDataRatesSupp. 0
>> dwMaxIFSD 254
>> dwSyncProtocols 00000000
>> dwMechanical 00000000
>> dwFeatures 0002047A
>> Auto configuration based on ATR
>> Auto voltage selection
>> Auto clock change
>> Auto baud rate change
>> Auto parameter negotation made by CCID
>> Auto IFSD exchange
>> Short APDU level exchange
>> dwMaxCCIDMsgLen 271
>> bClassGetResponse echo
>> bClassEnvelope FF
>> wlcdLayout none
>> bPINSupport 0
>> bMaxCCIDBusySlots 1
>> Endpoint Descriptor:
>> bLength 7
>> bDescriptorType 5
>> bEndpointAddress 0x81 EP 1 IN
>> bmAttributes 2
>> Transfer Type Bulk
>> Synch Type None
>> Usage Type Data
>> wMaxPacketSize 0x0040 1x 64 bytes
>> bInterval 0
>> Endpoint Descriptor:
>> bLength 7
>> bDescriptorType 5
>> bEndpointAddress 0x01 EP 1 OUT
>> bmAttributes 2
>> Transfer Type Bulk
>> Synch Type None
>> Usage Type Data
>> wMaxPacketSize 0x0040 1x 64 bytes
>> bInterval 0
>> Endpoint Descriptor:
>> bLength 7
>> bDescriptorType 5
>> bEndpointAddress 0x82 EP 2 IN
>> bmAttributes 3
>> Transfer Type Interrupt
>> Synch Type None
>> Usage Type Data
>> wMaxPacketSize 0x0004 1x 4 bytes
>> bInterval 255
>> Device Status: 0x0000
>> (Bus Powered)
>> $ cd ../test
>> $ nosetests --with-freshen
>> ............................................................
>> ............................................................
>> ............................................................
>> ............................................................
>> ............................................................
>> ............................................................
>> ....................
>> ----------------------------------------------------------------------
>> Ran 380 tests in 473.934s
>>
>> OK
>> $
>> =========================================
>>
>> I just found that test may not work well in some environment (it has
>> been working well for me, but newer Python-usb would cause a problem),
>> so, I fixed in 23bbc9c755493ba5fe8317e401e0876fd7524d40.
>> --
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160907/71aea6dc/attachment-0001.html>
More information about the gnuk-users
mailing list