Can't import NISTP521 encryption key into Nitrokey Pro 2

Hi,

I followed this tutorial :
https://www.nitrokey.com/documentation/openpgp-create-backup

I only replaced the RSA key by NIST P-521. Here is my tryout…

Factory reseting the key, just to be sure :

[root@sysresccd ~]# gpg --card-edit
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created

Reader ...........: 20A0:4108:000000000000000000006F15:0
Application ID ...: D276000124010303000500006F150000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 00006F15
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> factory-reset 
gpg: OpenPGP card no. D276000124010303000500006F150000 detected

gpg: Note: This command destroys all keys stored on the card!

Continue? (y/N) y
Really do a factory reset? (enter "yes") yes

gpg/card> 
[root@sysresccd ~]#

Generates locally the main key :

[root@sysresccd ~]# gpg --full-generate-key --expert
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 5
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Sat 30 Jun 2029 08:32:23 PM UTC
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Test Nitro
Email address: nitro@dev.null
Comment: My nitro test with nist P-521
You selected this USER-ID:
    "Test Nitro (My nitro test with nist P-521) <nitro@dev.null>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 9346D39EE37A29CF marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/E88DAF110E12F3909F5317EF9346D39EE37A29CF.rev'
public and secret key created and signed.

pub   nistp521 2019-07-03 [SC] [expires: 2029-06-30]
      E88DAF110E12F3909F5317EF9346D39EE37A29CF
uid                      Test Nitro (My nitro test with nist P-521) <nitro@dev.null>
sub   nistp521 2019-07-03 [E] [expires: 2029-06-30]

[root@sysresccd ~]#

Then I create the sub auth key :

[root@sysresccd ~]# gpg --edit-key --expert nitro@dev.null
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2029-06-30
sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 11

Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Sign 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Authenticate 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 5
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Sat 30 Jun 2029 08:36:32 PM UTC
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> quit
Save changes? (y/N) y
[root@sysresccd ~]#

I backup the keys :

[root@sysresccd ~]# gpg --export-secret-keys nitro@dev.null > sec-key.asc
[root@sysresccd ~]# gpg --export-secret-keys --armor nitro@dev.null > sec-key-armored.asc
[root@sysresccd ~]#

I will now try to export those keys to my Nitrokey Pro 2 :

root@sysresccd ~]# gpg --edit-key --expert nitro@dev.null
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> keytocard 
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> key 1

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb* nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> keytocard 
Please select where to store the key:
   (2) Encryption key
Your selection? 2
**gpg: KEYTOCARD failed: Invalid value**

gpg> key 1

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> key 2

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb* nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> keytocard 
Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb* nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> key 2

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> key 1

sec  nistp521/9346D39EE37A29CF
     created: 2019-07-03  expires: 2029-06-30  usage: SC  
     trust: ultimate      validity: ultimate
ssb* nistp521/2F20BEF8DA09958F
     created: 2019-07-03  expires: 2029-06-30  usage: E   
ssb  nistp521/651D13302BFB93A5
     created: 2019-07-03  expires: 2029-06-30  usage: A   
[ultimate] (1). Test Nitro (My nitro test with nist P-521) <nitro@dev.null>

gpg> keytocard 
Please select where to store the key:
   (2) Encryption key
Your selection? 2
**gpg: KEYTOCARD failed: Invalid value**

gpg> quit
Save changes? (y/N) y
[root@sysresccd ~]#

As you can see in the above capture, I could import main key (SC), and the auth key (A), but not encryption key failing with the message :

gpg: KEYTOCARD failed: Invalid value

As you can see below, two keys has been “stubbed”, but not the encryption key :

[root@sysresccd ~]# gpg -K
/root/.gnupg/pubring.kbx
------------------------
sec>  nistp521 2019-07-03 [SC] [expires: 2029-06-30]
      E88DAF110E12F3909F5317EF9346D39EE37A29CF
      Card serial no. = 0005 00006F15
uid           [ultimate] Test Nitro (My nitro test with nist P-521) <nitro@dev.null>
ssb   nistp521 2019-07-03 [E] [expires: 2029-06-30]
ssb>  nistp521 2019-07-03 [A] [expires: 2029-06-30]

[root@sysresccd ~]#

I want to say that I’m sure that one of my first test worked with the same type of key, but now, i’m doubting… I must be at my +10th test or more.

Last info :

[root@sysresccd ~]# gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
[root@sysresccd ~]# 

I also forgot to say that it works perfectly with NIST P-384 keys…

Anyway, do you see what could be the underlying cause ?

Thx

Hi,

thank you very much for this detailed post. Unfortunately, I am short of time right now. I’ll try to look closer into it next week. Stay tuned.

Kind regards
Alex

Hi!

My guess is that P521 does not fit into smart card’s memory, but this needs to be confirmed.
It should be possible to look this up in the source code of the OpenPGP implementation, and/or the specification: https://github.com/Nitrokey/openpgp-card.

According to the specification and the implementation P521 should be supported, so the issue might be in the tools.

generally it should work, yes.

There is an issue with P521 here as well: NitroKey HSM 2 and secp521r1 vs 384.

Okay, wait. I had a quick look now. What you try to achieve is not working this way. There is no use in imported stubbed keys.

If you want to have a backup, you need to create the keys outside the Nitrokey. This way won’t work correctly in any case. I don’t know why this is ‘allowed’ anyway.

Please follow the instructions in the link you had provided! Do not use --card-edit for key creation if you need an update.

Hi there, thank you for all your replies.

@nitroalex , I don’t understand : I don’t use the --card-edit to generate the keys, but only, at the beginning, to reset-factory the key. I never use it afterward, only the --edit-key and --expert switch. I am using the same commands as provided in the documentation.

I’m not in a hurry, so if you have more time later, I’m ok with that.

Oh dear, you aren’t. I stop writing for today and just get back, when I am ready

It is crazy, but I currently can’t test your setup. I… can not even create NISTP-521 keys. There seems to be a bug in GnuPG. I can not investigate it more right now, I am sorry.

Hi @nitroalex, thank you for your reply !

Do you have any idea of the version number of GnuPG that could work ?

Regards,

Hi @Raphux!

In the meantime until @nitroalex would reply, perhaps you would be interested in the following.
We have a custom Docker-based setup for a quick build of the GnuPG with the requested version. One can as well run it inside the container, and take logs (current setup’s default). The link is: https://github.com/Nitrokey/gpg-docker. The documentation might lack details at current state though - if you would have any questions, please let me know.

Additionally, GnuPG tests could be easily automatized through another project - https://github.com/Nitrokey/nitrokey-test-suite. I have not tested inter-operation between these two unfortunately - hopefully will do so in the future.

Situation has not changed with latest version. Used GnuPG 2.2.25.
Reported with logs from reproduction to GnuPG:

• https://dev.gnupg.org/T5163

Topic revived at (please continue discussion there):

• Unable to generate or move 521-bit ECC keys onto Nitrokey Pro 2