Add option to change the nk3 secret apps pin for reowner ship

[nestire]

see also #36

this is not yet possible in heads only via nitropy or the nitrokey app 2

[tlaurion]

GPG Admin/User PINs are reset through gpg factory reset under Heads. If Admin PIN has no counter left then Admin is locked out and factory reset needs to be done there. That was also the case for HOTP in nk2/librem key for HOTP secret sealing: GPG Admin PIN was used there.

The bare minimal here would be to have hotp-verification permit factory reset of the secret app just like gpg does for opengpg smartcard si that OEM factory reset and re-ownership can be done under Heads, and the secret element by wiped as anything else in the dongle.

---

No issue was opened to tackle the issue of physical presence. Could this be optionally turned off when reset at oem-factory-reset through hotp-verificarion?

This prevent unattended oem factory reset and transfer of ownership improvements to happen and I see no justification for touch requirement in remote attestation use case but maybe for servers: PIN does the physical presence + authentication being physically present brings what more?

[nestire]

@tlaurion for the presence see #41 but not sure if there is a good way of doing this

[daringer]

this will lead to a new command line argument: change-pin <old-pin> <new-pin>

how to handle backwards compatibility? will this just fail for pro/storage?
I don't think it makes sense to re-implement gpg functionality here.

[tlaurion]

this will lead to a new command line argument: change-pin <old-pin> <new-pin>

how to handle backwards compatibility? will this just fail for pro/storage?
I don't think it makes sense to re-implement gpg functionality here.

@JonathonHall-Purism comments?

[tlaurion]

this will lead to a new command line argument: change-pin <old-pin> <new-pin>

how to handle backwards compatibility? will this just fail for pro/storage?
I don't think it makes sense to re-implement gpg functionality here.

@daringer @JonathonHall-Purism in my opinion that wouldn't break anyrjing since it was not possible to do so before?

[daringer]

ok, summarizing what shall be implemented:

• introduce cmdline option: change-pin <old-pin> <new-pin>
• this shall change the secrets pin (or set if not set) on a nitrokey 3
• this operation does nothing if a pro2/storage is connected (silent fail w/o bad return error code)

[tlaurion]

@JonathonHall-Purism fyi

[JonathonHall-Purism]

This sounds like it should work. Thanks @daringer

[tlaurion]

Ideal is still for hotp_verification reset SECRET_APP_PIN so that physical presence is given once not twice: not changed but setuped through re-ownership, ideally skipping the whole "set on first use" issue of nk3 right now, while a new nk3 firmware version not requiring physical presence lands.

There is no need for passphrase change.

[daringer]

I don't understand this.
What does the last comment mean ?
How does this help to implement a solution for this issue?

Ideal is still for hotp_verification reset SECRET_APP_PIN so that physical presence is given once not twice

do we need the changes defined in my comment above or not? yes or no?

[tlaurion]

Ideal is still for hotp_verification reset SECRET_APP_PIN gpg requires a change of pin because factory reset sets it to something useless in most cases and heads then have to sldona second round of ops.

I said #40 was nice to have since the beginning.
Previous comment under #42

[daringer]

ok, then we keep this and extend #42 with the secret pin

[tlaurion]

TLDR: #41>#38>#39, nice to have #40
#41 was deemed impossible because physical presence removal required nk3 firmware change, and led to #42
So priorities are:
#42>#41>#38>#39, nice to have #40
Originally posted by @tlaurion in #36 (comment)

No need to change a PIN that has no PIN set (#42 created after #41 rejected for now and #38/#39 clarifying there is no admin/user pin for secreet app...). Therefore: if PIN is set but locked, reset secret app PIN needed because there is no Admin PIN nor USER PIN here to unlock one another if locked: there is a single PIN.... So why a change PIN? eavesdropped while sealing remote attestation? Bad end user doing that in unsafe space, but why not? #40 nice to have
If so, Heads doesn't plan to implement this through UX, but if #40 plans to do it, then why not but it makes little sense to me as opposed to OpenPGP smartcard, which was nk2/nk2 pro/lb, not nk3. But again, if Admin PIN is locked, as also said elsewhere, reset code needs to be set up at provisioning, which is not setup right now, to unlock GPG Admin PIN from reset code. This would be yet another secret for the user to remember... But anyway: none of this exists on nk3 for secret app PIN. Irrelevant altogether, no? We don't want to think before implementing?

All of which is #42 for now: setting a PIN, not letting it silently be set on first use(right now), or not considering it at all (hotp_verification prior of 1.6 with nk3 <1.7.1). But as of today, Secret App PIN is silently set on first use, which is totally wrong, possibly with a typo in it. And as of today, oem-factory-reset has no way to set that PIN. This is what #42 is about.

Logic of changing PIN needs 2 or even 3 PIN by GPG reference implementation, changing user PIN is from Admin PIN in case of being locked, Admin PIN is from reset code PIN.

Nk3 has one single Secure App PIN, no double PIN to prevent locking out, no reset code PIN. But has 6 counters (tries) instead of 3 by implementation choices (that I was unaware of before details disclosed upon bug discovery).
Even if hotp_verification info today (1.6) reports an Admin and a User PIN for secret app (misleading today), changing a PIN makes no sense. Misleading info to be fixed under #38 and #39 for PIN and firmware versions which makes no sense at all today for anybody (maybe for nitrokey devs?)

TLDR: you can close #40 unless you plan of PR a change PIN because user thinks his Secure App PIN has been eavesdropped. But considering that secret app PIN is typed only upon firmware upgrade or configuration changes, as opposed to GPG User PIN used to sign /boot changes upon OS boot related changes, htought experiments proves this pretty useless to my eyes under nk3 context.

[tlaurion]

ok, then we keep this and extend #42 with the secret pin

I need #42. Would love #41 but said not right now. So unattended reownership will be postponed (physical presence still needed) while misleading info reported to users #38 and #39 would make sense for all support request teams, including yours.

TLDR: please deliver #46 asap.