Test nk3 related hotp-verification patches upstream

[tlaurion]

Focusing on PR content, see PR to follow white rabbit on security/UX/oem issues they solve:

• https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43
• https://github.com/Nitrokey/nitrokey-hotp-verification/pull/44
• https://github.com/Nitrokey/nitrokey-hotp-verification/pull/45
• https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46

10h of work and counting. Will edit.

[tlaurion]

The one i'm the most interested (Heads maintainer), per defined priorities at https://github.com/Nitrokey/nitrokey-hotp-verification/issues/36#issuecomment-2479284125 is https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46, starting with it.

[tlaurion]

The one i'm the most interested (Heads maintainer) is Nitrokey/nitrokey-hotp-verification#46, starting with it.

Ha. segfaults on nk2/lk https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46#issuecomment-2503442845

[tlaurion]

Finally got an understanding that it doesn't make sense to not set a pin if no default pin is set at https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46#issuecomment-2508143760

[tlaurion]

There is still two pins instead of one at https://github.com/Nitrokey/nitrokey-hotp-verification/pull/44#issuecomment-2508687329

[tlaurion]

A lot of misunderstanding around https://github.com/Nitrokey/nitrokey-hotp-verification/pull/45 around related issues.

There is no need to change pins if there is only one secure app pin which if locked requires reset, as opposed to gpg pins..... Seems like nitrokey attempts to reinvent the wheel and do patches on top of bad design.

Let's review what worked before here instead of under their issues and PR, since I'm not going to participate but sporadically more and more feeling like https://vimeo.com/800938284

---

Under gpg:

• reset code (if provisioned: not provisioned by default) unlocks gpg Admin PIN
• gpg Admin PIN can unlock of user PIN
• gpg User PIN cannot unlock itself.

On devices prior of nk3

• HOTP related PIN was GPG Admin PIN: rarely used on the daily but for remote attestation to seal state in HOTP (ie: after config settings change, after firmware upgrade, otherwise tampering. Reseal needed when remote attestation fails, meaning TPMTOP secret in TPM nvram cannot unseal)
• GPG Admin PIN was reset to default pin 12345678 per oem-factory-reset/re-ownership on gpg reset call.
• Both GPG Admin PIN and User PIN could then be changed because the default PINs always set and known (always set to known default values, default values never change and hardcoded)

Nk3:

• adds a secret app pin, currently misleadingly duplicated in another set of User and Admin PIN (confusing for all) where only one exists for secret app PIN.
• currently not set by any default PIN
• pin set at first use since HOTP 1.6 and nk3 firmware 1.7.1.
  • Prior of that, was accepting any pin, HOTP secret resealing was only needing physical presence, silently accepting and neglecting any PIN that was entered.

Therefore.

• It makes no sense to have a pin change if no default pin is previously, and alway set (change what?)
• secure element pin has a counter of 6 attempts as opposed to 3 for GPG Admin/User PINs on devices <nk3
• changing a secret app PIN useful use case would be if user upgraded firmware and fears eavesdropping of that pin because.... He upgraded firmware in unsafe environment that potentially eavesdropped his Secret App PIN? Bad opsec = Bad user.
  • changing PIN: Nice to have at best but if necessary, we fail our users: nothing implements this change outside of GPG for GPG related PINs today which doesn't fit secure element today, nor we have any GUI to do this today : not planned on my side.

TLDR...... hotp-verification should

• Either set a default secret app pin and offer pin change so re-ownership can change it just like before as part of re-ownership for <nk3 (GPG Admin PIN for <nk3 is nk3 secret app PIN for nk3. Regression as of today, best practices not followed, reinventing the wheel with weaker process was chosen as of today)
• have hotp_verification reset SECRET_APP_PIN requiring a pin if none set by default
• Have hotp_verification reset set a default PIN, which if we don't plan to reinvent the wheel should be equivalent to gpg Admin PIN which is 12345678.

@daringer this is heads requirements. You have to decide what is best for nitrokey other secret app PIN; I have no voice there, but this is looping over Heads use case. Nitrokey chose to reinvent the wheel without consulting first. And current implementation is bogus.

Consequently. hotp_verification should also stop presenting false or misleading information:

• report only one single secure app PIN, and only for nk3 (stop misleading users with additional Admin and User PINs that don't exist and confuse UX, we all know better and overflowing support requests for no good reason. This is shoveling problems into the future for all ecosystem. Justifiable other use cases? Name them and let's work around them, otherwise bad design.
• report GPG User/Admin PIN counters (tries left)
• present real nk3 high level firmware version, eg 1.7.1.
• If and oly if useful to nitrokey, keep secret app version in info output... but this useless to Heads and misleading to end users. TMI unless stated otherwise.

That's it.

---

Added number of hours spent on this prior of even implementing changes needed under heads, feedback received after feature freeze original date set to 2024-11-20. Everything will land in my hands at the same time, I hope everyone will understand that it's not how things should work for healthy iterative development. Tag bounty added.