[Gnuk-users] GnuK 1.2.1 locked Admin PW
Peter Lebbing
peter at digitalbrains.com
Wed Apr 5 12:23:23 UTC 2017
Hi all and especially NIIBE. I'm new on this list, but am a regular of
GnuPG-Users.
At the OpenPGP Conference, I bought an FST-01 with GnuK 1.2.1.[1]. It
had been collecting dust since then, and I reckoned it's better at
collecting keys, so I tried to start using it.
I kept struggling with PINs, and now, completely weirdly, it stopped
accepting my Admin PIN. Now it's locked.
How can I unlock it? I don't have a completely assembled SWD programmer
yet. What I mean is, I have a TIAO USB Multi-Protocol Adapter v1. They
added SWD support in v2. But it might be possible to coax this from v1
as well with some wires or perhaps a transistor.
What are the different ways I could go about getting it to work again?
Finally, let me end in a loose account of how it went. Since I worked
with actual PINs, I did not log stuff. I thought if it failed I could
recreate later with fake PINs, but since I now locked it, I can't go any
further.
I used:
> $ gpg2 --version
> gpg (GnuPG) 2.1.19
> libgcrypt 1.7.6-beta
> [...]
> $ gpg-agent --version
> gpg-agent (GnuPG) 2.1.19
> libgcrypt 1.7.6-beta
> [...]
> $ /usr/lib/gnupg2/scdaemon --version
> scdaemon (GnuPG) 2.1.19
> libgcrypt 1.7.6-beta
> libksba 1.3.5-unknown
> [...]
I wanted separate user and admin PINs. So first I changed the Admin PIN.
That worked. Then I changed the user PIN. For some reason, I couldn't
use either the new or the old PIN, and I locked it. I tried to unblock
using the Admin PIN and later also a Reset Code, but got "Condition of
use not satisfied" (SW1/SW2 = 6985). Upon reading some source code, I
figured out this was because I didn't have any keys. I don't know why
this is a condition, but it is, so...
Here I encountered a nice catch-22. If I used --card-edit generate, it
would prompt for my User PIN! Well, it's blocked, sorry about that. So
no "generate" for me. I did --edit-key some-RSA-2048-test-key and
"keytocard", so I now had a key on there. Hooray, I could change the PIN.
As an aside, I think this is a bit awkward. Want to unblock your PIN?
Sure, generate some keys. Generate some keys? Please unblock your PIN
first. This is pretty unfortunate and not a nice user experience. I can
cope, I roll my eyes and do "keytocard", but somebody else might not
know a way out. The basic issue is: *why* is GnuPG even asking for a
user PIN? Section 7.2.13 of the OpenPGP Card Spec v3.0 says:
> The command can only be used after correct presentation of
> PW3 for the generation of a key pair.
It says nothing about PW1 being needed.
Back to my issues. I got there, right? No. Any attempt to do something
requiring the user PIN got me "PINs not synched" or similar message. I
could not change the PINs. An unblock lead to "PINs not synched". As a
final "let's try this then", I changed the Admin PIN without changing
it. I typed my old PIN, and then my old PIN twice again.
At this point my Admin PIN was no longer accepted. Not having any other
thing to try, I managed to exhaust my Admin PIN retry counter, and I now
have the "Hello, World!" of hardware designs: a blinking LED.
In addition to the blinking LED, it also shows this:
> Reader ...........: 234B:0000:FSIJ-1.2.1-87061340:0
> Application ID ...: D276000124010200FFFE870613400000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87061340
> Name of cardholder: Peter Lebbing
> Language prefs ...: en
> Sex ..............: male
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: not forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 2 3 0
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: 713F F089 6E52 73C8 7DD2 844F 1BD8 6BE8 3C3F 84D5
> created ....: 2016-12-05 11:12:51
> Authentication key: [none]
I'm considering buying a TIAO USB Multi-Protocol Adapter v2, so I can
easily flash the firmware on the FST-01. But can this also be solved
without an SWD interface?
Thanks,
Peter.
[1] I could not attend the talk by NIIBE unfortunately! Video captures
were supposed to be released at some time, and I have poked Martin
Schulte about this, but so far nothing has come forth. Again, unfortunately.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the gnuk-users
mailing list