From: Rubén Llorente <porting@use.startmail.com>
Subject: Re: [NEW]: security/nitrocli
To: ports@openbsd.org, Stuart <stu@spacehopper.org>, "Kirill A. Korinsky" <kirill@korins.ky>
Date: Sat, 9 Nov 2024 22:25:00 +0000

Kirill A. Korinsky wrote:
> Ruben,
> 
> I jsut had recieved my Nitrokey and tried your port. Seems that readme had
> missed some pices because when I do:
> 
>          nitrocli $ dmesg | tail
>          uhidev0: iclass 3/0
>          fido0 at uhidev0: input=64, output=64, feature=0
>          ugen0 at uhub0 port 1 configuration 1 "Nitrokey Nitrokey 3" rev 2.10/1.07 addr 2
>          fido0 detached
>          uhidev0 detached
>          ugen0 detached
>          uhidev0 at uhub0 port 1 configuration 1 interface 1 "Nitrokey Nitrokey 3" rev 2.10/1.07 addr 2
>          uhidev0: iclass 3/0
>          fido0 at uhidev0: input=64, output=64, feature=0
>          ugen0 at uhub0 port 1 configuration 1 "Nitrokey Nitrokey 3" rev 2.10/1.07 addr 2
>          nitrocli $ usbdevs | grep -e /dev/usb -e Nitrokey
>          Controller /dev/usb0:
>          addr 02: 20a0:42b2 Nitrokey, Nitrokey 3
>          nitrocli $ doas chmod 660 /dev/usb0 /dev/ugen0.* /dev/uhid0
>          nitrocli $ ls -l /dev/usb0 /dev/ugen0.* /dev/uhid0
>          crw-rw----  1 root  wheel  63,  0 Nov  6 12:11 /dev/ugen0.00
>          crw-rw----  1 root  wheel  63,  1 Nov  9 13:37 /dev/ugen0.01
>          crw-rw----  1 root  wheel  63,  2 Nov  9 13:31 /dev/ugen0.02
>          crw-rw----  1 root  wheel  63,  3 Nov  6 12:11 /dev/ugen0.03
>          crw-rw----  1 root  wheel  63,  4 Nov  6 12:11 /dev/ugen0.04
>          crw-rw----  1 root  wheel  63,  5 Nov  6 12:11 /dev/ugen0.05
>          crw-rw----  1 root  wheel  63,  6 Nov  6 12:11 /dev/ugen0.06
>          crw-rw----  1 root  wheel  63,  7 Nov  6 12:11 /dev/ugen0.07
>          crw-rw----  1 root  wheel  63,  8 Nov  6 12:11 /dev/ugen0.08
>          crw-rw----  1 root  wheel  63,  9 Nov  6 12:11 /dev/ugen0.09
>          crw-rw----  1 root  wheel  63, 10 Nov  6 12:11 /dev/ugen0.10
>          crw-rw----  1 root  wheel  63, 11 Nov  6 12:11 /dev/ugen0.11
>          crw-rw----  1 root  wheel  63, 12 Nov  6 12:11 /dev/ugen0.12
>          crw-rw----  1 root  wheel  63, 13 Nov  6 12:11 /dev/ugen0.13
>          crw-rw----  1 root  wheel  63, 14 Nov  6 12:11 /dev/ugen0.14
>          crw-rw----  1 root  wheel  63, 15 Nov  6 12:11 /dev/ugen0.15
>          crw-rw----  1 root  wheel  62,  0 Nov  6 12:11 /dev/uhid0
>          crw-rw----  1 root  wheel  61,  0 Nov  6 12:11 /dev/usb0
>          nitrocli $ nitrocli list
> 
> the list is blocked. I had waited for about 20 minutes before I give up.
> 
> I run -current/amd64
> 

Most likely you gave rw permissions against the wrong uhid.

When I plug my Nitrokey Storage 2 I get a line such as this in dmesg:

uhid1 at uhidev3: input=64, output=64, feature=64

Quick and dirty way to check this is to give rw permissions against all 
the /dev/uhid* devices.

Also, important, due to a bug in the libnitrokey library, if you use 
your Nitrokey for GPG/smartcard related stuff, you won't be able to 
perform libnitrokey operations afterwards. This is: if you sign an 
OpenPGP message then you will need to kill the gpg-agent before you can 
do "nitrocli list".