Add --only-aes-key option to reset command

This patch adds an --only-aes-key option to the reset command to only
build a new AES key without performing a full factory reset.

Fixes #69

Author: robinkrahl

CHANGELOG.md

@@ -10,6 +10,8 @@ Unreleased
 - Fixed pinentry dialog highlighting some messages incorrectly as errors
 - Switched to using GitHub Actions as the project's CI pipeline
 - Bumped `nitrokey` dependency to `0.9.0`
+- Added the `--only-aes-key` option to the `reset` command to build a new AES
+  key without performing a factory reset
 
 
 0.4.0

doc/nitrocli.1

@@ -1,4 +1,4 @@
-.TH NITROCLI 1 2021-04-14
+.TH NITROCLI 1 2021-04-17
 .SH NAME
 nitrocli \- access Nitrokey devices
 .SH SYNOPSIS
@@ -79,12 +79,16 @@ This command locks the password safe (see the Password safe section). On the
 Nitrokey Storage, it will also close any active encrypted or hidden volumes (see
 the Storage section).
 .TP
-.B nitrocli reset
+.B nitrocli reset \fR[\fB\-\-only-aes-key\fR]
 Perform a factory reset on the Nitrokey.
 This command performs a factory reset on the OpenPGP smart card, clears the
 flash storage and builds a new AES key.
 The user PIN is reset to 123456, the admin PIN to 12345678.
 
+If the \fB\-\-only-aes-key\fR option is set, the command does not perform a
+full factory reset but only creates a new AES key.
+The AES key is for example used to encrypt the password safe.
+
 This command requires the admin PIN.
 To avoid accidental calls of this command, the user has to enter the PIN even
 if it has been cached.

doc/nitrocli.1.pdf

@@ -103,7 +103,7 @@ Command! {
     /// Accesses the password safe
     Pws(PwsArgs) => |ctx, args: PwsArgs| args.subcmd.execute(ctx),
     /// Performs a factory reset
-    Reset => crate::commands::reset,
+    Reset(ResetArgs) => |ctx, args: ResetArgs| crate::commands::reset(ctx, args.only_aes_key),
     /// Prints the status of the connected Nitrokey device
     Status => crate::commands::status,
     /// Interacts with the device's unencrypted volume
@@ -445,6 +445,13 @@ pub struct PwsStatusArgs {
   pub all: bool,
 }
 
+#[derive(Debug, PartialEq, structopt::StructOpt)]
+pub struct ResetArgs {
+  /// Only build a new AES key instead of performing a full factory reset.
+  #[structopt(long)]
+  pub only_aes_key: bool,
+}
+
 #[derive(Debug, PartialEq, structopt::StructOpt)]
 pub struct UnencryptedArgs {
   #[structopt(subcommand)]

src/args.rs

@@ -513,7 +513,7 @@ pub fn fill(ctx: &mut Context<'_>, attach: bool) -> anyhow::Result<()> {
 }
 
 /// Perform a factory reset.
-pub fn reset(ctx: &mut Context<'_>) -> anyhow::Result<()> {
+pub fn reset(ctx: &mut Context<'_>, only_aes_key: bool) -> anyhow::Result<()> {
   with_device(ctx, |ctx, mut device| {
     let pin_entry = pinentry::PinEntry::from(args::PinType::Admin, &device)?;
 
@@ -522,20 +522,28 @@ pub fn reset(ctx: &mut Context<'_>) -> anyhow::Result<()> {
     pinentry::clear(&pin_entry).context("Failed to clear cached secret")?;
 
     try_with_pin(ctx, &pin_entry, |pin| {
-      device
-        .factory_reset(&pin)
-        .context("Failed to reset to factory settings")?;
-      // Work around for a timing issue between factory_reset and
-      // build_aes_key, see
-      // https://github.com/Nitrokey/nitrokey-storage-firmware/issues/80
-      thread::sleep(time::Duration::from_secs(3));
-      // Another work around for spurious WrongPassword returns of
-      // build_aes_key after a factory reset on Pro devices.
-      // https://github.com/Nitrokey/nitrokey-pro-firmware/issues/57
-      let _ = device.get_user_retry_count();
-      device
-        .build_aes_key(nitrokey::DEFAULT_ADMIN_PIN)
-        .context("Failed to rebuild AES key")
+      if only_aes_key {
+        // Similar to the else arm, we have to execute this command to avoid WrongPassword errors
+        let _ = device.get_user_retry_count();
+        device
+          .build_aes_key(&pin)
+          .context("Failed to rebuild AES key")
+      } else {
+        device
+          .factory_reset(&pin)
+          .context("Failed to reset to factory settings")?;
+        // Work around for a timing issue between factory_reset and
+        // build_aes_key, see
+        // https://github.com/Nitrokey/nitrokey-storage-firmware/issues/80
+        thread::sleep(time::Duration::from_secs(3));
+        // Another work around for spurious WrongPassword returns of
+        // build_aes_key after a factory reset on Pro devices.
+        // https://github.com/Nitrokey/nitrokey-pro-firmware/issues/57
+        let _ = device.get_user_retry_count();
+        device
+          .build_aes_key(nitrokey::DEFAULT_ADMIN_PIN)
+          .context("Failed to rebuild AES key")
+      }
     })
   })
 }

src/commands.rs

@@ -1,6 +1,6 @@
 // reset.rs
 
-// Copyright (C) 2019-2020 The Nitrocli Developers
+// Copyright (C) 2019-2021 The Nitrocli Developers
 // SPDX-License-Identifier: GPL-3.0-or-later
 
 use nitrokey::Authenticate;
@@ -43,3 +43,59 @@ fn reset(model: nitrokey::Model) -> anyhow::Result<()> {
 
   Ok(())
 }
+
+#[test_device]
+fn reset_only_aes_key(model: nitrokey::Model) -> anyhow::Result<()> {
+  const NEW_USER_PIN: &str = "654321";
+  const NAME: &str = "slotname";
+  const LOGIN: &str = "sloglogin";
+  const PASSWORD: &str = "slotpassword";
+
+  let mut ncli = Nitrocli::new().model(model).new_user_pin(NEW_USER_PIN);
+
+  // Change the user PIN
+  let _ = ncli.handle(&["pin", "set", "user"])?;
+
+  // Add an entry to the PWS
+  {
+    let mut manager = nitrokey::force_take()?;
+    let mut device = manager.connect_model(model)?;
+    let mut pws = device.get_password_safe(NEW_USER_PIN)?;
+    pws.write_slot(0, NAME, LOGIN, PASSWORD)?;
+  }
+
+  // Build AES key
+  let mut ncli = Nitrocli::new().model(model);
+  let out = ncli.handle(&["reset", "--only-aes-key"])?;
+  assert!(out.is_empty());
+
+  // Check that 1) the password store works, i.e., there is an AES key,
+  // that 2) we can no longer access the stored data, i.e., the AES has
+  // been replaced, and that 3) the changed user PIN still works, i.e.,
+  // we did not perform a factory reset.
+  {
+    let mut manager = nitrokey::force_take()?;
+    let mut device = manager.connect_model(model)?;
+    let pws = device.get_password_safe(NEW_USER_PIN)?;
+    let slot = pws.get_slot_unchecked(0)?;
+
+    if let Ok(name) = slot.get_name() {
+      assert_ne!(NAME, &name);
+    }
+    if let Ok(login) = slot.get_login() {
+      assert_ne!(LOGIN, &login);
+    }
+    if let Ok(password) = slot.get_password() {
+      assert_ne!(PASSWORD, &password);
+    }
+  }
+
+  // Reset the user PIN for other tests
+  let mut ncli = ncli
+    .user_pin(NEW_USER_PIN)
+    .new_user_pin(nitrokey::DEFAULT_USER_PIN);
+  let out = ncli.handle(&["pin", "set", "user"])?;
+  assert!(out.is_empty());
+
+  Ok(())
+}