search

polhenarejos / pico-openpgp

OpenPGP CCID smart card for Raspberry Pico and ESP32
https://www.picokeys.com
GNU General Public License v3.0
78 stars 10 forks source link

gpg --card-edit -> admin -> factory-reset blocks CHV1, CHV2, CHV3 PIN retry counter #4

Closed rrottmann closed 4 months ago

rrottmann commented 1 year ago

When doing a factory-reset using gpg --card-edit -> admin -> factory-reset all PIN counters get blocked. They were 3 3 3 before. Is there an APDU custom-command needed to reset the variables?

Reset of course works with pico_nuke_waveshare_rp2040_zero-1.0.uf2 but this requires somewhat "knowledge" about flashing the pico and the need to nuke the flash.

The gpg factory-reset uses upstream documented process of the OpenPGP Card specification and would be doable by a less experienced/regular user.

polhenarejos commented 1 year ago

Cannot reproduce. Did you get an error when did factory-reset command?

To reset the PIN it can be done with gpg --edit-card > unblock command using the RC code (12345678 default)

Edit: factory-reset command should put default codes for all PIN (123456 for PIN and 12345678 for RC and admin).

The APDU command is 00 E6 00 00.

rrottmann commented 1 year ago

Just reproduced the issue.

  1. Nuke flash
  2. Install pico_openpgp_waveshare_rp2040_zero-1.8.uf2
  3. admin
  4. generate
  5. factory reset
  6. PIN retry counter 3 3 3
  7. admin
  8. generate
  9. factory reset
  10. PIN retry counter 0 0 0
  11. factory reset
  12. PIN retry counter 3 3 3
  13. generate (first user PIN 123456 then admin PIN 12345678)
  14. key generation failed: Bad PIN (immediately)
  15. Key not present on card
  16. generate
  17. Key generation failed: PIN blocked (after key generation)
  18. Key not present on card
  19. PIN retry counter 0 0 0
  20. passwd->2 unblock
  21. Error unblocking the PIN: Bad PIN (immediately, no entering of pin)
  22. factory-reset
  23. PIN retry counter 3 3 3
  24. generate
  25. Key generation failed: PIN blocked
  26. factory-reset
  27. unblock
  28. generate
  29. Key generation failed: PIN blocked

nuke & full flash needed to reset and start from scratch.

polhenarejos commented 1 year ago

In step 10 I get 3 3 3. In step 14 PIN retries are 2 3 3.

Are you using the latest firmware?

rrottmann commented 1 year ago

Yes, the firmware is latest. Could it be related to using Waveshare RP2040 Zero?

polhenarejos commented 1 year ago

Really strange. I tried hundreds of combinations and I cannot reproduce it. I'll finish the tests and see if they pass on waveshare.

polhenarejos commented 1 year ago

Can you try with the latest commit? I pushed lots of fixes. I also pushed a battery set from gnuk. Give it a try to see if some test fails.

polhenarejos commented 4 months ago

Lots of bugfixes since then.

Please reopen if still happens with latest version.