WiP: add GPG Admin/User PIN output grabbing on confirm_gpg_card prese…

…nce call, echo for now, warn to input GPG User PIN when asked to unlock GPG card Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 Nitrokey/nitrokey-hotp-verification#38 Signed-off-by: Thierry Laurion <[email protected]>
linuxboot · Dec 3, 2024 · dd72313 · dd72313
1 parent 40da4d3
commit dd72313
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey
@@ -105,6 +105,7 @@ awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_co
 admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
 admin_pin_retries="${admin_pin_retries:-0}"
 DEBUG "Admin PIN retry counter is $admin_pin_retries"
+#TODO: as per hotp_verification 1.6: this is 8 for nk3 and wrong. FIX
 
 # Try using factory default admin PIN for 1 month following OEM reset to ease
 # initial setup.  But don't do it forever to encourage changing the PIN and

diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions
@@ -154,7 +154,7 @@ confirm_gpg_card() {
 	# ensure we don't exit without retrying
 	errexit=$(set -o | grep errexit | awk '{print $2}')
 	set +e
-	gpg --card-status >/dev/null
+	gpg_output=$(gpg --card-status 2>&1)
 	if [ $? -ne 0 ]; then
 		# prompt for reinsertion and try a second time
 		read -n1 -r -p \
@@ -165,13 +165,25 @@ confirm_gpg_card() {
 			set -e
 		fi
 		# retry card status
-		gpg --card-status >/dev/null ||
+		gpg_output=$(gpg --card-status 2>&1) ||
 			die "gpg card read failed"
 	fi
 	# restore prev errexit state
 	if [ "$errexit" = "on" ]; then
 		set -e
 	fi
+
+	# Extract and display GPG PIN retry counters
+	# output excerpt: "PIN retry counter : 3 0 3"
+	pin_retry_counters=$(echo "$gpg_output" | grep 'PIN retry counter' | awk -F': ' '{print $2}')
+	user_pin_retries=$(echo "$pin_retry_counters" | awk '{print $1}')
+	admin_pin_retries=$(echo "$pin_retry_counters" | awk '{print $3}')
+
+	echo ""	
+	echo "GPG User PIN retry attempts left before locking: $user_pin_retries"
+	echo "GPG Admin PIN retry attempts left before locking: $admin_pin_retries"
+	warn "Please input your GPG User PIN at 'Please unlock the card' next prompt..."
+	echo ""
 }
 
 gpg_auth() {