Hotp version v1.6

[nestire]

This is needed to get the nitrokey 3 with 1.7.1 firmware to work on heads.

The Error Message is there to make the user aware that resetting the admin pin of the secrets app in the NK 3 Firmware is currently only possible with nitropy and the Nitrokey App 2 and not within heads.

Tested on:
NV41Nitropad : NK3 1.6; NK 1.7.1; NK Storage; NK Pro

[tlaurion]

Ok. Replicating as end user.

First step upgrading the nk3 firmware

https://github.com/Nitrokey/nitrokey-3-firmware lands to https://docs.nitrokey.com/nitrokey3/ lands to nowhere for clear instructions.

Going back to https://github.com/Nitrokey/nitrokey-3-firmware to land at https://github.com/Nitrokey/nitrokey-3-firmware/releases/tag/v1.7.0 to realise 1.7.1 is not official.

Ok, info not pointed out from nitrokey-3-firmware to nitropy we expect the user to be advanced and already having updated the firmware before.

Nitropy

https://github.com/Nitrokey/pynitrokey and nitropy don't have the same name.

Landing at https://docs.nitrokey.com/nitrokey3/ again.

going back to README.md

pipx install pynitrokey

Nothing tells me how to install pipx

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update
Command line tool to interact with Nitrokey devices 0.4.40
Critical error:
An unhandled exception occurred
	Exception encountered: LibraryNotFoundError('Error detecting the version of libcrypto')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to [email protected] is also possible
- Please attach the log: '/tmp/nitropy.log.utvqe59f' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

Okok

landing at https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

hmm will update to 1.7.1 but won't be able to downgrade. Okok

Landing to https://docs.nitrokey.com/software/nitropy/all-platforms/installation.html
Following the white rabbit to https://docs.nitrokey.com/software/nitropy/linux/udev

I end up having to type all the following for things to work

python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx inject --pip-args="--upgrade --force" pynitrokey "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"
pipx upgrade pynitrokey
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/
sudo chown root:root /etc/udev/rules.d/41-nitrokey.rules
sudo chmod 644 /etc/udev/rules.d/41-nitrokey.rules
sudo udevadm control --reload-rules && sudo udevadm trigger

Okok, crafting the version string to v.1.7.1
nitropy nk3 update --version v1.7.1

I'm under qubesos, so I guess I should know that switching to bootloader will change VID:PID and I have to reassign dongle back to testing qube

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 2.23MB/s]
Current firmware version:  v1.5.0
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y

Please press the touch button to reboot the device into bootloader mode ...

Critical error:
No Nitrokey 3 bootloader device found

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to [email protected] is also possible
- Please attach the log: '/tmp/nitropy.log.4fse8lbo' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

I reassign dongle, retry:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 3.05MB/s]
Current firmware version:  [unknown]
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y
Critical error:
Failed to perform firmware update
	Exception encountered: SPSDKConnectionError()

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to [email protected] is also possible
- Please attach the log: '/tmp/nitropy.log.dw2wsoh3' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

Can a guide be drafted so prerequites to testing this PR can replicated from Q4.2.1 from NK3 firmware 1.5.0 that refuses to upgrade to 1.7.1?
@nestire thanks!

[tlaurion]

Ok, fine. Default user might want to wipe his dongle to upgrade. I would prefer not to, but this is replication of firmware upgrade here.

Let's do it

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 factory-reset-app secrets
Command line tool to interact with Nitrokey devices 0.4.47
Please touch the device to confirm the operation
Critical error:
Application Factory reset is not supported by the firmware version on the device
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 factory-reset
Command line tool to interact with Nitrokey devices 0.4.47
Please touch the device to confirm the operation
Critical error:
Factory reset is not supported by the firmware version on the device
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 version
Command line tool to interact with Nitrokey devices 0.4.47
v1.5.0

Hmm.

@nestire ?

EDIT: attached nitropy logs from latest availabe version applied from above command traces in previous comment.
nitropylogs.tar.gz

[tlaurion]

The Error Message is there to make the user aware that resetting the admin pin of the secrets app in the NK 3 Firmware is currently only possible with nitropy and the Nitrokey App 2 and not within heads.

Will try the nitrokey app 2 path and open relative issues pointing here as well.

Following the white rabbit

https://github.com/Nitrokey/nitrokey-app2

Ok. Flatpak no debian packages. Stil lunder q4.2.1 here. I see macos instructions for pypi.

pypi path

landing on https://pypi.org/project/nitrokeyapp/

git clone https://github.com/Nitrokey/nitrokey-app2.git
cd nitrokey-app2
make init
make build
poetry shell
nitrokeyapp

okok

user@heads-tests-deb12-nix:~$ git clone https://github.com/Nitrokey/nitrokey-app2.git
cd nitrokey-app2
make init
make build
poetry shell
nitrokeyapp
Cloning into 'nitrokey-app2'...
remote: Enumerating objects: 9387, done.
remote: Counting objects: 100% (1771/1771), done.
remote: Compressing objects: 100% (698/698), done.
remote: Total 9387 (delta 1137), reused 1561 (delta 1012), pack-reused 7616
Receiving objects: 100% (9387/9387), 83.76 MiB | 14.90 MiB/s, done.
Resolving deltas: 100% (3518/3518), done.
Makefile:18: *** "No poetry in /home/user/.nix-profile/bin:/home/user/.local/bin:/home/user/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games".  Stop.
Makefile:18: *** "No poetry in /home/user/.nix-profile/bin:/home/user/.local/bin:/home/user/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games".  Stop.
bash: poetry: command not found
bash: nitrokeyapp: command not found

Ok instructions made as if I was a developer. Adding untold missing dependencies from instructions:
sudo apt install python3-poetry

Redoing

make init
make build
poetry shell
nitrokeyapp

Success. Landing under nitrokeyapp2

[...]
Installing the current project: nitrokeyapp (2.3.0)
poetry build
Building nitrokeyapp (2.3.0)
  - Building sdist
  - Built nitrokeyapp-2.3.0.tar.gz
  - Building wheel
  - Built nitrokeyapp-2.3.0-py3-none-any.whl
Spawning shell within /home/user/.cache/pypoetry/virtualenvs/nitrokeyapp-lgaYXzc2-py3.11
user@heads-tests-deb12-nix:~/nitrokey-app2$ . /home/user/.cache/pypoetry/virtualenvs/nitrokeyapp-lgaYXzc2-py3.11/bin/activate
(nitrokeyapp-py3.11) user@heads-tests-deb12-nix:~/nitrokey-app2$ nitrokeyapp
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: vkkhrdisplay, linuxfb, offscreen, eglfs, minimal, vnc, minimalegl, wayland-egl, wayland, xcb.

Aborted
(nitrokeyapp-py3.11) user@heads-tests-deb12-nix:~/nitrokey-app2$ 

Ok...

poetry shell
nitrokeyapp

So libxcb-cursor0 is missing. Redoing clean

sudo apt install python3-poetry libxcb-cursor0

poetry shell
nitrokeyapp

Same result but graphical and with less details as previous comment

Fails

[nestire]

Hi
regarding the update of the nitrokey in qubes see your ticket in the nitroapp 2 repro. We working on improving this.
Is there anything else that is needed for this to go trough?

[tlaurion]

@daringer testing WiP processes including subthread answer at QubesOS/qubes-issues#8953 (comment).

Please make sure Nitrokey/nitrokey-documentation#248 can be followed by end users since this PR won't be merged before this happens.

[tlaurion]

@daringer you might want to investigate QubesOS/qubes-issues#6330 (comment)

[tlaurion]

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.

Updates at QubesOS/qubes-issues#8953 (comment) down

[nestire]

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.

Updates at QubesOS/qubes-issues#8953 (comment) down

This is done by the hotp-verification if no pin is set see here https://github.com/Nitrokey/nitrokey-hotp-verification/blob/e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/src/operations_ccid.c#L105

If there is a pin already set, this likely means the user is using the secret app in the nk3. Because of that we don't wan't to reset this within heads but within nitropy/Nitrokey App 2., So they don't lose passwords and other hotp secrets accidentally.

[tlaurion]

Related (not full list of issues, to be updated prior of merging

• Nitrokey 3C NFC not found in Nitropy in Bootloader mode Nitrokey/pynitrokey#543
• Unable to upgrade NK3 from v1.5.0 to v1.7.1 from latest nitropy Nitrokey/pynitrokey#542
• Unable to update from NK3 v1.5.0 to V1.7.0 Nitrokey/nitrokey-app2#249
• Unable to update Nitrokey 3 within an app qube QubesOS/qubes-issues#8953 (comment)
• add nitrokey3 update in qubes Nitrokey/nitrokey-documentation#248
• V1.5 : NK3 currently accepts any PIN on HOTP secret sealing Nitrokey/nitrokey-hotp-verification#30

[tlaurion]

@nestire I do not see oem-factory-reset being updated to set a secure element PIN to match ADMIN PIN here either for OEM/user cases.
Updates at QubesOS/qubes-issues#8953 (comment) down

This is done by the hotp-verification if no pin is set see here https://github.com/Nitrokey/nitrokey-hotp-verification/blob/e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/src/operations_ccid.c#L105

If there is a pin already set, this likely means the user is using the secret app in the nk3. Because of that we don't wan't to reset this within heads but within nitropy/Nitrokey App 2., So they don't lose passwords and other hotp secrets accidentally.

perfect so I understand this sub-thread topic is to be followed until fixed:

• Unable to update Nitrokey 3 within an app qube QubesOS/qubes-issues#8953 (comment)

[tlaurion]

@daringer please update referred tickets at #1684 (comment) and next comments.

[tlaurion]

Ideal would be to have packages to deploy under sys-usb and qubes associated templates to not go in such loops of workarounds for not so technical users to follow, aka debian and fedora repositories at least in quebesos testing repositories.

[nestire]

Related (not full list of issues, to be updated prior of merging

* [ ]  [Nitrokey 3C NFC not found in Nitropy in Bootloader mode Nitrokey/pynitrokey#543](https://github.com/Nitrokey/pynitrokey/issues/543)

this is a windows issue so not related here the other issues should be resolved with the fix in Qubes.

We working on packages for Qubes/Fedora and for Debian to make this process more user friendly, but this should not block this since this PR will also not break usage of nitrokey3 with an older firmware then 1.7.1

[tlaurion]

Nitrokey/nitrokey-documentation#248 was merged. Retesting doc, will edit this reply

• testing this PR on non upgraded nk3a mini 1.5.0 firmware

  • prompts twice for physical presence when sealing HOTP
    • 

• test add nitrokey3 update in qubes Nitrokey/nitrokey-documentation#248 to upgrade nk3a mini from 1.5.0 to 1.6.1 under qubes

  • https://docs.nitrokey.com/nitrokey3/linux/firmware-update-qubes.html
    • https://docs.nitrokey.com/software/nitropy/all-platforms/installation.html
  • https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html
    • update to v1.7.1 specifically : nitropy nk3 update --version v1.7.1

• Reboot and retest sealing and have new passphrase prompt for secure element PIN

  • Admin PIN asked, transparently sets provided PIN on first use
  • If HOTP reseal with bad PIN counters decrement from 8 to 7 (both User and Admin counters)
  • Reseals successfully only with Admin PIN defined on reseal

• @JonathonHall-Purism LGTM. Might want to test before I press merge? I'll approve this PR.

• merge this PR

[tlaurion]

@nestire #1684 (comment) ping